From ba1d03f2525735aef65975b9577c7c004e9567a3 Mon Sep 17 00:00:00 2001 From: Mark Bonsack Date: Fri, 17 Jan 2020 13:52:29 -0800 Subject: [PATCH 1/9] Update batch_timeout to reflect ms units * Update batch-timeout() value from 1 to 1000 to reflect ms units. Intended value still 1 second. --- package/etc/conf.d/destinations/splunk_hec.conf.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package/etc/conf.d/destinations/splunk_hec.conf.tmpl b/package/etc/conf.d/destinations/splunk_hec.conf.tmpl index 90dc794..a67c802 100644 --- a/package/etc/conf.d/destinations/splunk_hec.conf.tmpl +++ b/package/etc/conf.d/destinations/splunk_hec.conf.tmpl @@ -6,7 +6,7 @@ destination d_hec { workers({{- getenv "SC4S_DEST_SPLUNK_HEC_WORKERS" "10"}}) batch-lines({{- getenv "SC4S_DEST_SPLUNK_HEC_BATCH_LINES" "1000"}}) batch-bytes({{- getenv "SC4S_DEST_SPLUNK_HEC_BATCH_BYTES" "4096kb"}}) - batch-timeout({{- getenv "SC4S_DEST_SPLUNK_HEC_BATCH_TIMEOUT" "1"}}) + batch-timeout({{- getenv "SC4S_DEST_SPLUNK_HEC_BATCH_TIMEOUT" "1000"}}) timeout({{- getenv "SC4S_DEST_SPLUNK_HEC_TIMEOUT" "30"}}) user_agent("sc4s/1.0 (events)") user("sc4s") From 07e689549f2b50994ced253eabcacb5ea0225255 Mon Sep 17 00:00:00 2001 From: Mark Bonsack Date: Fri, 17 Jan 2020 22:40:15 -0800 Subject: [PATCH 2/9] Simplify log paths with junction/channel * Remove two-pass gomplate template for unique ports and replace with simpler junction/channel syntax --- .../p_rfc3164-juniper_netscreen.conf.tmpl | 31 ++++++++----------- 1 file changed, 13 insertions(+), 18 deletions(-) diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_netscreen.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-juniper_netscreen.conf.tmpl index 6fca3d1..153519c 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-juniper_netscreen.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-juniper_netscreen.conf.tmpl @@ -3,16 +3,20 @@ {{- $context := dict "port_id" "JUNIPER_NETSCREEN" "parser" "common" }} {{- tmpl.Exec "t/source_network.t" $context }} -{{- /* The following is an inline template to generate the actual log path */}} -{{- define "log_path"}} log { -{{- if eq (.) "yes"}} - source(s_DEFAULT); - filter(f_juniper_netscreen); -{{- end}} -{{- if eq (.) "no"}} - source (s_JUNIPER_NETSCREEN); + junction { + channel { + source (s_DEFAULT); + filter(f_juniper_netscreen); + flags(final); + }; +{{- if or (or (getenv (print "SC4S_LISTEN_JUNIPER_NETSCREEN_TCP_PORT")) (getenv (print "SC4S_LISTEN_JUNIPER_NETSCREEN_UDP_PORT"))) (getenv (print "SC4S_LISTEN_JUNIPER_NETSCREEN_TLS_PORT")) }} + channel { + source (s_JUNIPER_NETSCREEN); + flags (final); + }; {{- end}} + }; rewrite { set("juniper_netscreen", value("fields.sc4s_vendor_product")); @@ -31,13 +35,4 @@ log { {{- end}} flags(flow-control,final); -}; -{{- end}} - -{{- if or (or (getenv (print "SC4S_LISTEN_JUNIPER_NETSCREEN_TCP_PORT")) (getenv (print "SC4S_LISTEN_JUNIPER_NETSCREEN_UDP_PORT"))) (getenv (print "SC4S_LISTEN_JUNIPER_NETSCREEN_TLS_PORT")) }} -# Listen on the specified dedicated port(s) for JUNIPER_NETSCREEN traffic -{{ tmpl.Exec "log_path" "no" }} -{{- end }} - -# Listen on the default port (typically 514) for JUNIPER_NETSCREEN traffic -{{ tmpl.Exec "log_path" "yes" }} \ No newline at end of file +}; \ No newline at end of file From fac16313f9ce0602e09bb806a2b6adae40b2da3d Mon Sep 17 00:00:00 2001 From: Mark Bonsack Date: Mon, 20 Jan 2020 10:02:28 -0800 Subject: [PATCH 3/9] Rename log paths and update with junction/channel architecture * Remove message formatting prefix from log path names * Apply `lp-` prefix to indicate config file is a log path * Rename certain log paths to be more descriptive of function * Replace two-pass gomplate config with junction/channel config in each log path --- ...example.conf.tmpl => lp-example.conf.tmpl} | 45 +++++++------------ ...nf.tmpl => lp-checkpoint_splunk.conf.tmpl} | 34 +++++++------- ...o_acs.conf.tmpl => lp-cisco_acs.conf.tmpl} | 38 +++++++--------- ...o_asa.conf.tmpl => lp-cisco_asa.conf.tmpl} | 33 +++++++------- ...onf.tmpl => lp-cisco_asa_legacy.conf.tmpl} | 35 +++++++-------- ...o_ios.conf.tmpl => lp-cisco_ios.conf.tmpl} | 33 +++++++------- ...o_ise.conf.tmpl => lp-cisco_ise.conf.tmpl} | 37 +++++++-------- ...nxos.conf.tmpl => lp-cisco_nxos.conf.tmpl} | 34 +++++++------- ...f.tmpl => lp-epoch-cisco_meraki.conf.tmpl} | 31 ++++++------- ...mpl => lp-forcepoint_webprotect.conf.tmpl} | 33 +++++++------- ...onf.tmpl => lp-fortinet_fortios.conf.tmpl} | 33 +++++++------- ...foblox.conf.tmpl => lp-infoblox.conf.tmpl} | 34 +++++++------- ...idp.conf.tmpl => lp-juniper_idp.conf.tmpl} | 33 +++++++------- ...s.conf.tmpl => lp-juniper_junos.conf.tmpl} | 33 +++++++------- ... => lp-juniper_junos_structured.conf.tmpl} | 33 +++++++------- ...nf.tmpl => lp-juniper_netscreen.conf.tmpl} | 14 +++--- ...nsm.conf.tmpl => lp-juniper_nsm.conf.tmpl} | 33 +++++++------- ...conf.tmpl => lp-juniper_nsm_idp.conf.tmpl} | 33 +++++++------- ....tmpl => lp-microfocus_arcsight.conf.tmpl} | 35 +++++++-------- ....conf.tmpl => lp-paloalto_panos.conf.tmpl} | 33 +++++++------- ....conf.tmpl => lp-proofpoint_pps.conf.tmpl} | 33 +++++++------- ...l.conf.tmpl => lp-sc4s_internal.conf.tmpl} | 5 +-- ...up.conf.tmpl => lp-sc4s_startup.conf.tmpl} | 5 +-- ....tmpl => lp-symantec_brightmail.conf.tmpl} | 35 +++++++-------- ....conf.tmpl => lp-symantec_proxy.conf.tmpl} | 33 +++++++------- ....conf.tmpl => lp-ubiquiti_unifi.conf.tmpl} | 34 +++++++------- ....conf.tmpl => lp-vmware_vsphere.conf.tmpl} | 36 +++++++-------- ...nss.conf.tmpl => lp-zscaler_nss.conf.tmpl} | 33 +++++++------- ....conf.tmpl => lp-zzy-nix_syslog.conf.tmpl} | 33 +++++++------- ...ck.conf.tmpl => lp-zzz-fallback.conf.tmpl} | 1 - ...example.conf.tmpl => lp-example.conf.tmpl} | 45 +++++++------------ 31 files changed, 425 insertions(+), 535 deletions(-) rename package/etc/conf.d/local/config/log_paths/{example.conf.tmpl => lp-example.conf.tmpl} (81%) rename package/etc/conf.d/log_paths/{p_rfc3164-checkpoint_splunk.conf.tmpl => lp-checkpoint_splunk.conf.tmpl} (88%) rename package/etc/conf.d/log_paths/{p_rfc3164-cisco_acs.conf.tmpl => lp-cisco_acs.conf.tmpl} (77%) rename package/etc/conf.d/log_paths/{p_rfc5424-noversion_cisco_asa.conf.tmpl => lp-cisco_asa.conf.tmpl} (69%) rename package/etc/conf.d/log_paths/{p_rfc3164-cisco_asa.conf.tmpl => lp-cisco_asa_legacy.conf.tmpl} (69%) rename package/etc/conf.d/log_paths/{p_rfc3164-cisco_ios.conf.tmpl => lp-cisco_ios.conf.tmpl} (71%) rename package/etc/conf.d/log_paths/{p_rfc3164-cisco_ise.conf.tmpl => lp-cisco_ise.conf.tmpl} (81%) rename package/etc/conf.d/log_paths/{p_rfc3164-cisco_nxos.conf.tmpl => lp-cisco_nxos.conf.tmpl} (71%) rename package/etc/conf.d/log_paths/{p_rfc5424_epoch-cisco_meraki.conf.tmpl => lp-epoch-cisco_meraki.conf.tmpl} (70%) rename package/etc/conf.d/log_paths/{p_rfc3164-forcepoint_webprotect.conf.tmpl => lp-forcepoint_webprotect.conf.tmpl} (70%) rename package/etc/conf.d/log_paths/{p_rfc3164-fortinet_fortios.conf.tmpl => lp-fortinet_fortios.conf.tmpl} (80%) rename package/etc/conf.d/log_paths/{p_rfc3164-infoblox.conf.tmpl => lp-infoblox.conf.tmpl} (85%) rename package/etc/conf.d/log_paths/{p_rfc3164-juniper_idp.conf.tmpl => lp-juniper_idp.conf.tmpl} (69%) rename package/etc/conf.d/log_paths/{p_rfc3164-juniper_junos.conf.tmpl => lp-juniper_junos.conf.tmpl} (81%) rename package/etc/conf.d/log_paths/{p_rfc5424-strict_juniper_junos.conf.tmpl => lp-juniper_junos_structured.conf.tmpl} (82%) rename package/etc/conf.d/log_paths/{p_rfc3164-juniper_netscreen.conf.tmpl => lp-juniper_netscreen.conf.tmpl} (87%) rename package/etc/conf.d/log_paths/{p_rfc3164-juniper_nsm.conf.tmpl => lp-juniper_nsm.conf.tmpl} (69%) rename package/etc/conf.d/log_paths/{p_rfc3164-juniper_nsm_idp.conf.tmpl => lp-juniper_nsm_idp.conf.tmpl} (69%) rename package/etc/conf.d/log_paths/{p_rfc3164-microfocus_arcsight.conf.tmpl => lp-microfocus_arcsight.conf.tmpl} (84%) rename package/etc/conf.d/log_paths/{p_rfc3164-paloalto_panos.conf.tmpl => lp-paloalto_panos.conf.tmpl} (88%) rename package/etc/conf.d/log_paths/{p_rfc3164-proofpoint_pps.conf.tmpl => lp-proofpoint_pps.conf.tmpl} (74%) rename package/etc/conf.d/log_paths/{internal.conf.tmpl => lp-sc4s_internal.conf.tmpl} (96%) rename package/etc/conf.d/log_paths/{startup.conf.tmpl => lp-sc4s_startup.conf.tmpl} (93%) rename package/etc/conf.d/log_paths/{p_rfc3164-symantec_brightmail.conf.tmpl => lp-symantec_brightmail.conf.tmpl} (83%) rename package/etc/conf.d/log_paths/{p_rfc5424-noversion_symantec_proxy.conf.tmpl => lp-symantec_proxy.conf.tmpl} (69%) rename package/etc/conf.d/log_paths/{p_rfc3164-ubiquiti_unifi.conf.tmpl => lp-ubiquiti_unifi.conf.tmpl} (91%) rename package/etc/conf.d/log_paths/{p_vmware_vsphere.conf.tmpl => lp-vmware_vsphere.conf.tmpl} (81%) rename package/etc/conf.d/log_paths/{p_rfc3164-zscaler_nss.conf.tmpl => lp-zscaler_nss.conf.tmpl} (88%) rename package/etc/conf.d/log_paths/{p_za_nix_syslog.conf.tmpl => lp-zzy-nix_syslog.conf.tmpl} (72%) rename package/etc/conf.d/log_paths/{p_zz_fallback.conf.tmpl => lp-zzz-fallback.conf.tmpl} (99%) rename package/etc/local_config/log_paths/{example.conf.tmpl => lp-example.conf.tmpl} (81%) diff --git a/package/etc/conf.d/local/config/log_paths/example.conf.tmpl b/package/etc/conf.d/local/config/log_paths/lp-example.conf.tmpl similarity index 81% rename from package/etc/conf.d/local/config/log_paths/example.conf.tmpl rename to package/etc/conf.d/local/config/log_paths/lp-example.conf.tmpl index 516f954..708bc7c 100644 --- a/package/etc/conf.d/local/config/log_paths/example.conf.tmpl +++ b/package/etc/conf.d/local/config/log_paths/lp-example.conf.tmpl @@ -29,24 +29,23 @@ {{- $context := dict "port_id" "LOCAL_EXAMPLE" "parser" "common" }} {{- tmpl.Exec "t/source_network.t" $context }} -{{- /* The following is an inline template to generate the actual log path */}} -{{- define "log_path"}} log { - -{{- /* The first time this template is used the log_path will be linked to the default port */}} - -{{- if eq (.) "yes"}} - source(s_DEFAULT); - filter(f_is_rfc3164); - filter(f_local_example); -{{- end}} - -{{- /* In the second pass through the template a link to the dedicated port is used. This */}} -{{- /* normally does not require additional filters */}} - -{{- if eq (.) "no"}} - source (s_LOCAL_EXAMPLE); + junction { +{{- if or (or (getenv (print "SC4S_LISTEN_LOCAL_EXAMPLE_TCP_PORT")) (getenv (print "SC4S_LISTEN_LOCAL_EXAMPLE_UDP_PORT"))) (getenv (print "SC4S_LISTEN_LOCAL_EXAMPLE_TLS_PORT")) }} + channel { + # Listen on the specified dedicated port(s) for LOCAL_EXAMPLE traffic + source (s_LOCAL_EXAMPLE); + flags (final); + }; {{- end}} + channel { + # Listen on the default port (typically 514) for LOCAL_EXAMPLE traffic + source (s_DEFAULT); + filter(f_is_rfc3164); + filter(f_local_example); + flags(final); + }; + }; # Set a default sourcetype and index, as well as an appropriate value for the field # "sc4s_vendor_product". This field is sent as an indexed field to Splunk, @@ -86,16 +85,4 @@ log { # All passes through any matching log path will be final flags(flow-control,final); -}; -{{- end}} - -{{- /* Prepare to run two passes through this template, one for default traffic and another for */}} -{{- /* "unique ports" if they are configured. */}} - -{{- if or (or (getenv (print "SC4S_LISTEN_LOCAL_EXAMPLE_TCP_PORT")) (getenv (print "SC4S_LISTEN_LOCAL_EXAMPLE_UDP_PORT"))) (getenv (print "SC4S_LISTEN_LOCAL_EXAMPLE_TLS_PORT")) }} -# Listen on the specified dedicated port(s) for LOCAL_EXAMPLE traffic -{{ tmpl.Exec "log_path" "no" }} -{{- end }} - -# Listen on the default port (typically 514) for LOCAL_EXAMPLE traffic -{{ tmpl.Exec "log_path" "yes" }} \ No newline at end of file +}; \ No newline at end of file diff --git a/package/etc/conf.d/log_paths/p_rfc3164-checkpoint_splunk.conf.tmpl b/package/etc/conf.d/log_paths/lp-checkpoint_splunk.conf.tmpl similarity index 88% rename from package/etc/conf.d/log_paths/p_rfc3164-checkpoint_splunk.conf.tmpl rename to package/etc/conf.d/log_paths/lp-checkpoint_splunk.conf.tmpl index 0fd2808..fcfc452 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-checkpoint_splunk.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-checkpoint_splunk.conf.tmpl @@ -3,17 +3,23 @@ {{- $context := dict "port_id" "CHECKPOINT_SPLUNK" "parser" "common" }} {{- tmpl.Exec "t/source_network.t" $context }} -{{- /* The following is an inline template to generate the actual log path */}} -{{- define "log_path"}} log { -{{- if eq (.) "yes"}} - source(s_DEFAULT); - filter(f_is_rfc3164); - filter(f_checkpoint_splunk); -{{- end}} -{{- if eq (.) "no"}} - source (s_CHECKPOINT_SPLUNK); + junction { +{{- if or (or (getenv (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_TCP_PORT")) (getenv (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_TLS_PORT")) }} + channel { + # Listen on the specified dedicated port(s) for CHECKPOINT_SPLUNK traffic + source (s_CHECKPOINT_SPLUNK); + flags (final); + }; {{- end}} + channel { + # Listen on the default port (typically 514) for CHECKPOINT_SPLUNK traffic + source(s_DEFAULT); + filter(f_is_rfc3164); + filter(f_checkpoint_splunk); + flags(final); + }; + }; if { filter(f_nix_syslog); @@ -83,12 +89,4 @@ log { {{- end}} flags(flow-control,final); -}; -{{- end}} -{{- if or (or (getenv (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_TCP_PORT")) (getenv (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_TLS_PORT")) }} -# Listen on the specified dedicated port(s) for CHECKPOINT_SPLUNK traffic -{{ tmpl.Exec "log_path" "no" }} -{{- end}} - -# Listen on the default port (typically 514) for CHECKPOINT_SPLUNK traffic -{{ tmpl.Exec "log_path" "yes" }} +}; \ No newline at end of file diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_acs.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_acs.conf.tmpl similarity index 77% rename from package/etc/conf.d/log_paths/p_rfc3164-cisco_acs.conf.tmpl rename to package/etc/conf.d/log_paths/lp-cisco_acs.conf.tmpl index 0e3c4c1..9397bc0 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-cisco_acs.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_acs.conf.tmpl @@ -46,17 +46,24 @@ parser acs_event_time { template("${ACS.DATE} ${ACS.TIME} ${ACS.TZ}") ); }; -{{- /* The following is an inline template to generate the actual log path */}} -{{ define "log_path" }} + log { -{{- if eq (.) "yes"}} - source(s_DEFAULT); - filter(f_is_rfc3164); - filter(f_cisco_acs); -{{- end}} -{{- if eq (.) "no"}} - source (s_CISCO_ACS); + junction { +{{- if or (or (getenv (print "SC4S_LISTEN_CISCO_NX_OS_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_NX_OS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_NX_OS_TLS_PORT")) }} + channel { + # Listen on the specified dedicated port(s) for CISCO_NX_OS traffic + source (s_CISCO_NX_OS); + flags (final); + }; {{- end}} + channel { + # Listen on the default port (typically 514) for CISCO_NX_OS traffic + source (s_DEFAULT); + filter(f_is_rfc3164); + filter(f_cisco_acs); + flags(final); + }; + }; parser(acs_grouping); @@ -83,15 +90,4 @@ log { flags(flow-control,final); }; - -}; -{{- end}} - -{{- if or (or (getenv (print "SC4S_LISTEN_CISCO_ACS_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_ACS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_ACS_TLS_PORT")) }} - -# Listen on the specified dedicated port(s) for CISCO_ACS traffic - {{tmpl.Exec "log_path" "no" }} -{{- end}} - -# Listen on the default port (typically 514) for CISCO_ACS traffic -{{tmpl.Exec "log_path" "yes" }} +}; \ No newline at end of file diff --git a/package/etc/conf.d/log_paths/p_rfc5424-noversion_cisco_asa.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_asa.conf.tmpl similarity index 69% rename from package/etc/conf.d/log_paths/p_rfc5424-noversion_cisco_asa.conf.tmpl rename to package/etc/conf.d/log_paths/lp-cisco_asa.conf.tmpl index 59e9c50..e09f3cf 100644 --- a/package/etc/conf.d/log_paths/p_rfc5424-noversion_cisco_asa.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_asa.conf.tmpl @@ -3,17 +3,23 @@ {{- $context := dict "port_id" "CISCO_ASA" "parser" "common" }} {{- tmpl.Exec "t/source_network.t" $context }} -{{- /* The following is an inline template to generate the actual log path */}} -{{- define "log_path"}} log { -{{- if eq (.) "yes"}} - source(s_DEFAULT); - filter(f_is_rfc5424_noversion); - filter(f_cisco_asa); -{{- end}} -{{- if eq (.) "no"}} - source (s_CISCO_ASA); + junction { +{{- if or (or (getenv (print "SC4S_LISTEN_CISCO_ASA_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_ASA_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_ASA_TLS_PORT")) }} + channel { + # Listen on the specified dedicated port(s) for CISCO_ASA traffic + source (s_CISCO_ASA); + flags (final); + }; {{- end}} + channel { + # Listen on the default port (typically 514) for CISCO_ASA traffic + source (s_DEFAULT); + filter(f_is_rfc5424_noversion); + filter(f_cisco_asa); + flags(final); + }; + }; rewrite { set("cisco_asa", value("fields.sc4s_vendor_product")); @@ -33,12 +39,3 @@ log { flags(flow-control,final); }; -{{- end}} - -{{- if or (or (getenv (print "SC4S_LISTEN_CISCO_ASA_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_ASA_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_ASA_TLS_PORT")) }} -# Listen on the specified dedicated port(s) for CISCO_ASA traffic -{{ tmpl.Exec "log_path" "no" }} -{{- end}} - -# Listen on the default port (typically 514) for CISCO_ASA traffic -{{ tmpl.Exec "log_path" "yes" }} diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_asa.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_asa_legacy.conf.tmpl similarity index 69% rename from package/etc/conf.d/log_paths/p_rfc3164-cisco_asa.conf.tmpl rename to package/etc/conf.d/log_paths/lp-cisco_asa_legacy.conf.tmpl index b794ad8..b027c3d 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-cisco_asa.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_asa_legacy.conf.tmpl @@ -3,17 +3,23 @@ {{- $context := dict "port_id" "CISCO_ASA_LEGACY" "parser" "common" }} {{- tmpl.Exec "t/source_network.t" $context }} -{{- /* The following is an inline template to generate the actual log path */}} -{{- define "log_path"}} log { -{{- if eq (.) "yes"}} - source(s_DEFAULT); - filter(f_is_rfc3164); - filter(f_cisco_asa); -{{- end}} -{{- if eq (.) "no"}} - source (s_CISCO_ASA_LEGACY); + junction { +{{- if or (or (getenv (print "SC4S_LISTEN_CISCO_ASA_LEGACY_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_ASA_LEGACY_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_ASA_LEGACY_TLS_PORT")) }} + channel { + # Listen on the specified dedicated port(s) for CISCO_ASA_LEGACY traffic + source (s_CISCO_ASA_LEGACY); + flags (final); + }; {{- end}} + channel { + # Listen on the default port (typically 514) for CISCO_ASA_LEGACY traffic + source (s_DEFAULT); + filter(f_is_rfc3164); + filter(f_cisco_asa); + flags(final); + }; + }; rewrite { set("cisco_asa", value("fields.sc4s_vendor_product")); @@ -31,16 +37,5 @@ log { destination(d_archive); {{- end}} - flags(flow-control,final); - }; -{{- end}} -{{- if or (or (getenv (print "SC4S_LISTEN_CISCO_ASA_LEGACY_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_ASA_LEGACY_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_ASA_LEGACY_TLS_PORT")) }} - -# Listen on the specified dedicated port(s) for CISCO_ASA_LEGACY traffic - {{tmpl.Exec "log_path" "no" }} -{{- end}} - -# Listen on the default port (typically 514) for CISCO_ASA_LEGACY traffic -{{tmpl.Exec "log_path" "yes" }} diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_ios.conf.tmpl similarity index 71% rename from package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf.tmpl rename to package/etc/conf.d/log_paths/lp-cisco_ios.conf.tmpl index 2749bc8..63cde5e 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_ios.conf.tmpl @@ -3,16 +3,22 @@ {{- $context := dict "port_id" "CISCO_IOS" "parser" "common" }} {{- tmpl.Exec "t/source_network.t" $context }} -{{- /* The following is an inline template to generate the actual log path */}} -{{- define "log_path"}} log { -{{- if eq (.) "yes" }} - source(s_DEFAULT); - filter(f_is_cisco_ios); -{{- end }} -{{- if eq (.) "no" }} - source (s_CISCO_IOS); -{{- end }} + junction { +{{- if or (or (getenv (print "SC4S_LISTEN_CISCO_IOS_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_IOS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_IOS_TLS_PORT")) }} + channel { + # Listen on the specified dedicated port(s) for CISCO_IOS traffic + source (s_CISCO_IOS); + flags (final); + }; +{{- end}} + channel { + # Listen on the default port (typically 514) for CISCO_IOS traffic + source (s_DEFAULT); + filter(f_is_cisco_ios); + flags(final); + }; + }; rewrite { set("cisco_ios", value("fields.sc4s_vendor_product")); @@ -33,12 +39,3 @@ log { flags(flow-control,final); }; -{{- end}} - -{{- if or (or (getenv (print "SC4S_LISTEN_CISCO_IOS_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_IOS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_IOS_TLS_PORT")) }} -# Listen on the specified dedicated port(s) for CISCO_IOS traffic -{{ tmpl.Exec "log_path" "no" }} -{{- end}} - -# Listen on the default port (typically 514) for CISCO_IOS traffic -{{ tmpl.Exec "log_path" "yes" }} diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_ise.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_ise.conf.tmpl similarity index 81% rename from package/etc/conf.d/log_paths/p_rfc3164-cisco_ise.conf.tmpl rename to package/etc/conf.d/log_paths/lp-cisco_ise.conf.tmpl index b56dae5..818ada8 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-cisco_ise.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_ise.conf.tmpl @@ -1,6 +1,6 @@ # Cisco ISE {{- /* The following provides a unique port source configuration if env var(s) are set */}} -{{- $context := dict "port_id" "CISCO_NX_OS" "parser" "common" }} +{{- $context := dict "port_id" "CISCO_ISE" "parser" "common" }} {{- tmpl.Exec "t/source_network.t" $context }} # This filter uses a field we set to prevent the original messages before aggregation from being @@ -48,17 +48,24 @@ parser ise_event_time { template("${ISE.DATE} ${ISE.TIME} ${ISE.TZ}") ); }; -{{- /* The following is an inline template to generate the actual log path */}} -{{ define "log_path" }} + log { -{{- if eq (.) "yes"}} - source(s_DEFAULT); - filter(f_is_rfc3164); - filter(f_cisco_ise); -{{- end}} -{{- if eq (.) "no"}} - source (s_CISCO_ISE); + junction { +{{- if or (or (getenv (print "SC4S_LISTEN_CISCO_ISE_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_ISE_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_ISE_TLS_PORT")) }} + channel { + # Listen on the specified dedicated port(s) for CISCO_ISE traffic + source (s_CISCO_ISE); + flags (final); + }; {{- end}} + channel { + # Listen on the default port (typically 514) for CISCO_ISE traffic + source (s_DEFAULT); + filter(f_is_rfc3164); + filter(f_cisco_ise); + flags(final); + }; + }; parser(ise_grouping); @@ -86,13 +93,3 @@ log { }; }; -{{- end}} - -{{- if or (or (getenv (print "SC4S_LISTEN_CISCO_ISE_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_ISE_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_ISE_TLS_PORT")) }} - -# Listen on the specified dedicated port(s) for CISCO_ISE traffic - {{tmpl.Exec "log_path" "no" }} -{{- end}} - -# Listen on the default port (typically 514) for CISCO_ISE traffic -{{tmpl.Exec "log_path" "yes" }} diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_nxos.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_nxos.conf.tmpl similarity index 71% rename from package/etc/conf.d/log_paths/p_rfc3164-cisco_nxos.conf.tmpl rename to package/etc/conf.d/log_paths/lp-cisco_nxos.conf.tmpl index 683dc1f..66bbc5e 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-cisco_nxos.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_nxos.conf.tmpl @@ -3,16 +3,22 @@ {{- $context := dict "port_id" "CISCO_NX_OS" "parser" "common" }} {{- tmpl.Exec "t/source_network.t" $context }} -{{- /* The following is an inline template to generate the actual log path */}} -{{- define "log_path"}} log { -{{- if eq (.) "yes" }} - source(s_DEFAULT); - filter(f_cisco_nx_os); -{{- end }} -{{- if eq (.) "no" }} - source (s_CISCO_NX_OS); -{{- end }} + junction { +{{- if or (or (getenv (print "SC4S_LISTEN_CISCO_NX_OS_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_NX_OS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_NX_OS_TLS_PORT")) }} + channel { + # Listen on the specified dedicated port(s) for CISCO_NX_OS traffic + source (s_CISCO_NX_OS); + flags (final); + }; +{{- end}} + channel { + # Listen on the default port (typically 514) for CISCO_NX_OS traffic + source (s_DEFAULT); + filter(f_cisco_nx_os); + flags(final); + }; + }; rewrite { set("cisco_nxos", value("fields.sc4s_vendor_product")); @@ -32,15 +38,5 @@ log { destination(d_archive); {{- end}} - flags(flow-control,final); }; -{{- end}} - -{{- if or (or (getenv (print "SC4S_LISTEN_CISCO_NX_OS_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_NX_OS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_NX_OS_TLS_PORT")) }} -# Listen on the specified dedicated port(s) for CISCO_NX_OS traffic -{{ tmpl.Exec "log_path" "no" }} -{{- end}} - -# Listen on the default port (typically 514) for CISCO_NX_OS traffic -{{ tmpl.Exec "log_path" "yes" }} diff --git a/package/etc/conf.d/log_paths/p_rfc5424_epoch-cisco_meraki.conf.tmpl b/package/etc/conf.d/log_paths/lp-epoch-cisco_meraki.conf.tmpl similarity index 70% rename from package/etc/conf.d/log_paths/p_rfc5424_epoch-cisco_meraki.conf.tmpl rename to package/etc/conf.d/log_paths/lp-epoch-cisco_meraki.conf.tmpl index 4c2ba45..974ee36 100644 --- a/package/etc/conf.d/log_paths/p_rfc5424_epoch-cisco_meraki.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-epoch-cisco_meraki.conf.tmpl @@ -3,16 +3,22 @@ {{- $context := dict "port_id" "CISCO_MERAKI" "parser" "common" }} {{- tmpl.Exec "t/source_network.t" $context }} -{{- /* The following is an inline template to generate the actual log path */}} -{{- define "log_path"}} log { -{{- if eq (.) "yes"}} - source(s_DEFAULT); - filter(f_cisco_meraki); -{{- end}} -{{- if eq (.) "no"}} - source (s_CISCO_MERAKI); + junction { +{{- if or (or (getenv (print "SC4S_LISTEN_CISCO_MERAKI_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_MERAKI_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_MERAKI_TLS_PORT")) }} + channel { + # Listen on the specified dedicated port(s) for CISCO_MERAKI traffic + source (s_CISCO_MERAKI); + flags (final); + }; {{- end}} + channel { + # Listen on the default port (typically 514) for CISCO_MERAKI traffic + source (s_DEFAULT); + filter(f_cisco_meraki); + flags(final); + }; + }; rewrite { set("cisco_meraki", value("fields.sc4s_vendor_product")); @@ -33,12 +39,3 @@ log { flags(flow-control,final); }; -{{- end}} - -{{- if or (or (getenv (print "SC4S_LISTEN_CISCO_MERAKI_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_MERAKI_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_MERAKI_TLS_PORT")) }} -# Listen on the specified dedicated port(s) for CISCO_MERAKI traffic -{{ tmpl.Exec "log_path" "no" }} -{{- end}} - -# Listen on the default port (typically 514) for CISCO_MERAKI traffic -{{ tmpl.Exec "log_path" "yes" }} diff --git a/package/etc/conf.d/log_paths/p_rfc3164-forcepoint_webprotect.conf.tmpl b/package/etc/conf.d/log_paths/lp-forcepoint_webprotect.conf.tmpl similarity index 70% rename from package/etc/conf.d/log_paths/p_rfc3164-forcepoint_webprotect.conf.tmpl rename to package/etc/conf.d/log_paths/lp-forcepoint_webprotect.conf.tmpl index a3346bd..969a245 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-forcepoint_webprotect.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-forcepoint_webprotect.conf.tmpl @@ -3,17 +3,23 @@ {{- $context := dict "port_id" "FORCEPOINT_WEBPROTECT" "parser" "common" }} {{- tmpl.Exec "t/source_network.t" $context }} -{{- /* The following is an inline template to generate the actual log path */}} -{{- define "log_path"}} log { -{{- if eq (.) "yes"}} - source(s_DEFAULT); - filter(f_is_rfc3164); - filter(f_forcepoint_webprotect_kv); -{{- end}} -{{- if eq (.) "no"}} - source (s_FORCEPOINT_WEBPROTECT); + junction { +{{- if or (or (getenv (print "SC4S_LISTEN_FORCEPOINT_WEBPROTECT_TCP_PORT")) (getenv (print "SC4S_LISTEN_FORCEPOINT_WEBPROTECT_UDP_PORT"))) (getenv (print "SC4S_LISTEN_FORCEPOINT_WEBPROTECT_TLS_PORT")) }} + channel { + # Listen on the specified dedicated port(s) for FORCEPOINT_WEBPROTECT traffic + source (s_FORCEPOINT_WEBPROTECT); + flags (final); + }; {{- end}} + channel { + # Listen on the default port (typically 514) for FORCEPOINT_WEBPROTECT traffic + source (s_DEFAULT); + filter(f_is_rfc3164); + filter(f_forcepoint_webprotect_kv); + flags(final); + }; + }; rewrite { subst(" [^ =]+\=\-", "", value("MESSAGE"), flags("global")); @@ -34,12 +40,3 @@ log { flags(flow-control,final); }; -{{- end}} - -{{- if or (or (getenv (print "SC4S_LISTEN_FORCEPOINT_WEBPROTECT_TCP_PORT")) (getenv (print "SC4S_LISTEN_FORCEPOINT_WEBPROTECT_UDP_PORT"))) (getenv (print "SC4S_LISTEN_FORCEPOINT_WEBPROTECT_TLS_PORT")) }} -# Listen on the specified dedicated port(s) for FORCEPOINT_WEBPROTECT traffic -{{ tmpl.Exec "log_path" "no" }} -{{- end}} - -# Listen on the default port (typically 514) for FORCEPOINT_WEBPROTECT traffic -{{ tmpl.Exec "log_path" "yes" }} diff --git a/package/etc/conf.d/log_paths/p_rfc3164-fortinet_fortios.conf.tmpl b/package/etc/conf.d/log_paths/lp-fortinet_fortios.conf.tmpl similarity index 80% rename from package/etc/conf.d/log_paths/p_rfc3164-fortinet_fortios.conf.tmpl rename to package/etc/conf.d/log_paths/lp-fortinet_fortios.conf.tmpl index 837ce58..943bb19 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-fortinet_fortios.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-fortinet_fortios.conf.tmpl @@ -3,17 +3,23 @@ {{- $context := dict "port_id" "FORTINET_FORTIOS" "parser" "common" }} {{- tmpl.Exec "t/source_network.t" $context }} -{{- /* The following is an inline template to generate the actual log path */}} -{{- define "log_path"}} log { -{{- if eq (.) "yes"}} - source(s_DEFAULT); - filter(f_is_rfc3164); - filter(f_fortinet_fortios); -{{- end}} -{{- if eq (.) "no"}} - source (s_FORTINET_FORTIOS); + junction { +{{- if or (or (getenv (print "SC4S_LISTEN_FORTINET_FORTIOS_TCP_PORT")) (getenv (print "SC4S_LISTEN_FORTINET_FORTIOS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_FORTINET_FORTIOS_TLS_PORT")) }} + channel { + # Listen on the specified dedicated port(s) for FORTINET_FORTIOS traffic + source (s_FORTINET_FORTIOS); + flags (final); + }; {{- end}} + channel { + # Listen on the default port (typically 514) for FORTINET_FORTIOS traffic + source (s_DEFAULT); + filter(f_is_rfc3164); + filter(f_fortinet_fortios); + flags(final); + }; + }; parser { kv-parser(prefix(".kv.") template("${MSGHDR} ${MSG}")); @@ -53,12 +59,3 @@ log { flags(flow-control,final); }; -{{- end}} - -{{- if or (or (getenv (print "SC4S_LISTEN_FORTINET_FORTIOS_TCP_PORT")) (getenv (print "SC4S_LISTEN_FORTINET_FORTIOS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_FORTINET_FORTIOS_TLS_PORT")) }} -# Listen on the specified dedicated port(s) for FORTINET_FORTIOS traffic -{{ tmpl.Exec "log_path" "no" }} -{{- end}} - -# Listen on the default port (typically 514) for FORTINET_FORTIOS traffic -{{ tmpl.Exec "log_path" "yes" }} diff --git a/package/etc/conf.d/log_paths/p_rfc3164-infoblox.conf.tmpl b/package/etc/conf.d/log_paths/lp-infoblox.conf.tmpl similarity index 85% rename from package/etc/conf.d/log_paths/p_rfc3164-infoblox.conf.tmpl rename to package/etc/conf.d/log_paths/lp-infoblox.conf.tmpl index a84ecaa..991b679 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-infoblox.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-infoblox.conf.tmpl @@ -3,18 +3,23 @@ {{- $context := dict "port_id" "INFOBLOX" "parser" "common" }} {{- tmpl.Exec "t/source_network.t" $context }} -{{- /* The following is an inline template to generate the actual log path */}} -{{- define "log_path"}} log { -{{- if eq (.) "yes"}} - source(s_DEFAULT); - filter(f_is_rfc3164); - filter(f_infoblox); -{{- end}} -{{- if eq (.) "no"}} - source (s_INFOBLOX); + junction { +{{- if or (or (getenv (print "SC4S_LISTEN_INFOBLOX_TCP_PORT")) (getenv (print "SC4S_LISTEN_INFOBLOX_UDP_PORT"))) (getenv (print "SC4S_LISTEN_INFOBLOX_TLS_PORT")) }} + channel { + # Listen on the specified dedicated port(s) for INFOBLOX traffic + source (s_INFOBLOX); + flags (final); + }; {{- end}} - + channel { + # Listen on the default port (typically 514) for INFOBLOX traffic + source (s_DEFAULT); + filter(f_is_rfc3164); + filter(f_infoblox); + flags(final); + }; + }; if { filter{program("named")}; @@ -67,12 +72,3 @@ log { flags(flow-control,final); }; -{{- end}} - -{{- if or (or (getenv (print "SC4S_LISTEN_INFOBLOX_TCP_PORT")) (getenv (print "SC4S_LISTEN_INFOBLOX_UDP_PORT"))) (getenv (print "SC4S_LISTEN_INFOBLOX_TLS_PORT")) }} -# Listen on the specified dedicated port(s) for INFOBLOX traffic -{{ tmpl.Exec "log_path" "no" }} -{{- end}} - -# Listen on the default port (typically 514) for INFOBLOX traffic -{{ tmpl.Exec "log_path" "yes" }} diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_idp.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_idp.conf.tmpl similarity index 69% rename from package/etc/conf.d/log_paths/p_rfc3164-juniper_idp.conf.tmpl rename to package/etc/conf.d/log_paths/lp-juniper_idp.conf.tmpl index 162996d..9149f94 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-juniper_idp.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-juniper_idp.conf.tmpl @@ -3,17 +3,23 @@ {{- $context := dict "port_id" "JUNIPER_IDP" "parser" "common" }} {{- tmpl.Exec "t/source_network.t" $context }} -{{- /* The following is an inline template to generate the actual log path */}} -{{- define "log_path"}} log { -{{- if eq (.) "yes"}} - source(s_DEFAULT); - filter(f_is_rfc5424_strict); - filter(f_juniper_idp); -{{- end}} -{{- if eq (.) "no"}} - source (s_JUNIPER_IDP); + junction { +{{- if or (or (getenv (print "SC4S_LISTEN_JUNIPER_IDP_TCP_PORT")) (getenv (print "SC4S_LISTEN_JUNIPER_IDP_UDP_PORT"))) (getenv (print "SC4S_LISTEN_JUNIPER_IDP_TLS_PORT")) }} + channel { + # Listen on the specified dedicated port(s) for JUNIPER_IDP traffic + source (s_JUNIPER_IDP); + flags (final); + }; {{- end}} + channel { + # Listen on the default port (typically 514) for JUNIPER_IDP traffic + source (s_DEFAULT); + filter(f_is_rfc5424_strict); + filter(f_juniper_idp); + flags(final); + }; + }; rewrite { set("juniper_idp", value("fields.sc4s_vendor_product")); @@ -33,12 +39,3 @@ log { flags(flow-control,final); }; -{{- end}} - -{{- if or (or (getenv (print "SC4S_LISTEN_JUNIPER_IDP_TCP_PORT")) (getenv (print "SC4S_LISTEN_JUNIPER_IDP_UDP_PORT"))) (getenv (print "SC4S_LISTEN_JUNIPER_IDP_TLS_PORT")) }} -# Listen on the specified dedicated port(s) for JUNIPER_IDP traffic -{{ tmpl.Exec "log_path" "no" }} -{{- end}} - -# Listen on the default port (typically 514) for JUNIPER_IDP traffic -{{ tmpl.Exec "log_path" "yes" }} diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_junos.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl similarity index 81% rename from package/etc/conf.d/log_paths/p_rfc3164-juniper_junos.conf.tmpl rename to package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl index facaf1c..df12ce7 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-juniper_junos.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl @@ -3,17 +3,23 @@ {{- $context := dict "port_id" "JUNIPER_JUNOS" "parser" "common" }} {{- tmpl.Exec "t/source_network.t" $context }} -{{- /* The following is an inline template to generate the actual log path */}} -{{- define "log_path"}} log { -{{- if eq (.) "yes"}} - source(s_DEFAULT); - filter(f_is_rfc3164); - filter(f_juniper_junos_standard); -{{- end}} -{{- if eq (.) "no"}} - source (s_JUNIPER_JUNOS); + junction { +{{- if or (or (getenv (print "SC4S_LISTEN_JUNIPER_JUNOS_TCP_PORT")) (getenv (print "SC4S_LISTEN_JUNIPER_JUNOS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_JUNIPER_JUNOS_TLS_PORT")) }} + channel { + # Listen on the specified dedicated port(s) for JUNIPER_JUNOS traffic + source (s_JUNIPER_JUNOS); + flags (final); + }; {{- end}} + channel { + # Listen on the default port (typically 514) for JUNIPER_JUNOS traffic + source (s_DEFAULT); + filter(f_is_rfc3164); + filter(f_juniper_junos_standard); + flags(final); + }; + }; rewrite { set("juniper_junos", value("fields.sc4s_vendor_product")); @@ -52,12 +58,3 @@ log { flags(flow-control,final); }; -{{- end}} - -{{- if or (or (getenv (print "SC4S_LISTEN_JUNIPER_JUNOS_TCP_PORT")) (getenv (print "SC4S_LISTEN_JUNIPER_JUNOS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_JUNIPER_JUNOS_TLS_PORT")) }} -# Listen on the specified dedicated port(s) for JUNIPER_JUNOS traffic -{{ tmpl.Exec "log_path" "no" }} -{{- end}} - -# Listen on the default port (typically 514) for JUNIPER_JUNOS traffic -{{ tmpl.Exec "log_path" "yes" }} diff --git a/package/etc/conf.d/log_paths/p_rfc5424-strict_juniper_junos.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl similarity index 82% rename from package/etc/conf.d/log_paths/p_rfc5424-strict_juniper_junos.conf.tmpl rename to package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl index f5ac665..5501976 100644 --- a/package/etc/conf.d/log_paths/p_rfc5424-strict_juniper_junos.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl @@ -3,17 +3,23 @@ {{- $context := dict "port_id" "JUNIPER_JUNOS_STRUCTURED" "parser" "common" }} {{- tmpl.Exec "t/source_network.t" $context }} -{{- /* The following is an inline template to generate the actual log path */}} -{{- define "log_path"}} log { -{{- if eq (.) "yes"}} - source(s_DEFAULT); - filter(f_is_rfc5424_strict); - filter(f_juniper_junos_structured); -{{- end}} -{{- if eq (.) "no"}} - source (s_JUNIPER_JUNOS_STRUCTURED); + junction { +{{- if or (or (getenv (print "SC4S_LISTEN_JUNIPER_JUNOS_STRUCTURED_TCP_PORT")) (getenv (print "SC4S_LISTEN_JUNIPER_JUNOS_STRUCTURED_UDP_PORT"))) (getenv (print "SC4S_LISTEN_JUNIPER_JUNOS_STRUCTURED_TLS_PORT")) }} + channel { + # Listen on the specified dedicated port(s) for JUNIPER_JUNOS_STRUCTURED traffic + source (s_JUNIPER_JUNOS_STRUCTURED); + flags (final); + }; {{- end}} + channel { + # Listen on the default port (typically 514) for JUNIPER_JUNOS_STRUCTURED traffic + source (s_DEFAULT); + filter(f_is_rfc5424_strict); + filter(f_juniper_junos_structured); + flags(final); + }; + }; rewrite { set("juniper_junos", value("fields.sc4s_vendor_product")); @@ -60,12 +66,3 @@ log { flags(flow-control,final); }; -{{- end}} - -{{- if or (or (getenv (print "SC4S_LISTEN_JUNIPER_JUNOS_STRUCTURED_TCP_PORT")) (getenv (print "SC4S_LISTEN_JUNIPER_JUNOS_STRUCTURED_UDP_PORT"))) (getenv (print "SC4S_LISTEN_JUNIPER_JUNOS_STRUCTURED_TLS_PORT")) }} -# Listen on the specified dedicated port(s) for JUNIPER_JUNOS_STRUCTURED traffic -{{ tmpl.Exec "log_path" "no" }} -{{- end}} - -# Listen on the default port (typically 514) for JUNIPER_JUNOS_STRUCTURED traffic -{{ tmpl.Exec "log_path" "yes" }} diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_netscreen.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_netscreen.conf.tmpl similarity index 87% rename from package/etc/conf.d/log_paths/p_rfc3164-juniper_netscreen.conf.tmpl rename to package/etc/conf.d/log_paths/lp-juniper_netscreen.conf.tmpl index 153519c..27cc1e3 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-juniper_netscreen.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-juniper_netscreen.conf.tmpl @@ -5,17 +5,19 @@ log { junction { - channel { - source (s_DEFAULT); - filter(f_juniper_netscreen); - flags(final); - }; {{- if or (or (getenv (print "SC4S_LISTEN_JUNIPER_NETSCREEN_TCP_PORT")) (getenv (print "SC4S_LISTEN_JUNIPER_NETSCREEN_UDP_PORT"))) (getenv (print "SC4S_LISTEN_JUNIPER_NETSCREEN_TLS_PORT")) }} - channel { + channel { + # Listen on the specified dedicated port(s) for JUNIPER_NETSCREEN traffic source (s_JUNIPER_NETSCREEN); flags (final); }; {{- end}} + channel { + # Listen on the default port (typically 514) for JUNIPER_NETSCREEN traffic + source (s_DEFAULT); + filter(f_juniper_netscreen); + flags(final); + }; }; rewrite { diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_nsm.conf.tmpl similarity index 69% rename from package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm.conf.tmpl rename to package/etc/conf.d/log_paths/lp-juniper_nsm.conf.tmpl index 668f287..ce99b6c 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-juniper_nsm.conf.tmpl @@ -3,17 +3,23 @@ {{- $context := dict "port_id" "JUNIPER_NSM" "parser" "common" }} {{- tmpl.Exec "t/source_network.t" $context }} -{{- /* The following is an inline template to generate the actual log path */}} -{{- define "log_path"}} log { -{{- if eq (.) "yes"}} - source(s_DEFAULT); - filter(f_is_rfc3164); - filter(f_juniper_nsm); -{{- end}} -{{- if eq (.) "no"}} - source (s_JUNIPER_NSM); + junction { +{{- if or (or (getenv (print "SC4S_LISTEN_JUNIPER_NSM_TCP_PORT")) (getenv (print "SC4S_LISTEN_JUNIPER_NSM_UDP_PORT"))) (getenv (print "SC4S_LISTEN_JUNIPER_NSM_TLS_PORT")) }} + channel { + # Listen on the specified dedicated port(s) for JUNIPER_NSM traffic + source (s_JUNIPER_NSM); + flags (final); + }; {{- end}} + channel { + # Listen on the default port (typically 514) for JUNIPER_NSM traffic + source (s_DEFAULT); + filter(f_is_rfc3164); + filter(f_juniper_nsm); + flags(final); + }; + }; rewrite { set("juniper_nsm", value("fields.sc4s_vendor_product")); @@ -33,12 +39,3 @@ log { flags(flow-control,final); }; -{{- end}} - -{{- if or (or (getenv (print "SC4S_LISTEN_JUNIPER_NSM_TCP_PORT")) (getenv (print "SC4S_LISTEN_JUNIPER_NSM_UDP_PORT"))) (getenv (print "SC4S_LISTEN_JUNIPER_NSM_TLS_PORT")) }} -# Listen on the specified dedicated port(s) for JUNIPER_NSM traffic -{{ tmpl.Exec "log_path" "no" }} -{{- end}} - -# Listen on the default port (typically 514) for JUNIPER_NSM traffic -{{ tmpl.Exec "log_path" "yes" }} diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm_idp.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_nsm_idp.conf.tmpl similarity index 69% rename from package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm_idp.conf.tmpl rename to package/etc/conf.d/log_paths/lp-juniper_nsm_idp.conf.tmpl index 2ac5fa0..7a2340c 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm_idp.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-juniper_nsm_idp.conf.tmpl @@ -3,17 +3,23 @@ {{- $context := dict "port_id" "JUNIPER_NSM_IDP" "parser" "common" }} {{- tmpl.Exec "t/source_network.t" $context }} -{{- /* The following is an inline template to generate the actual log path */}} -{{- define "log_path"}} log { -{{- if eq (.) "yes"}} - source(s_DEFAULT); - filter(f_is_rfc3164); - filter(f_juniper_nsm_idp); -{{- end}} -{{- if eq (.) "no"}} - source (s_JUNIPER_NSM_IDP); + junction { +{{- if or (or (getenv (print "SC4S_LISTEN_JUNIPER_NSM_IDP_TCP_PORT")) (getenv (print "SC4S_LISTEN_JUNIPER_NSM_IDP_UDP_PORT"))) (getenv (print "SC4S_LISTEN_JUNIPER_NSM_IDP_TLS_PORT")) }} + channel { + # Listen on the specified dedicated port(s) for JUNIPER_NSM_IDP traffic + source (s_JUNIPER_NSM_IDP); + flags (final); + }; {{- end}} + channel { + # Listen on the default port (typically 514) for JUNIPER_NSM_IDP traffic + source (s_DEFAULT); + filter(f_is_rfc3164); + filter(f_juniper_nsm_idp); + flags(final); + }; + }; rewrite { set("juniper_nsm_idp", value("fields.sc4s_vendor_product")); @@ -32,12 +38,3 @@ log { flags(flow-control,final); }; -{{- end}} - -{{- if or (or (getenv (print "SC4S_LISTEN_JUNIPER_NSM_IDP_TCP_PORT")) (getenv (print "SC4S_LISTEN_JUNIPER_NSM_IDP_UDP_PORT"))) (getenv (print "SC4S_LISTEN_JUNIPER_NSM_IDP_TLS_PORT")) }} -# Listen on the specified dedicated port(s) for JUNIPER_NSM_IDP traffic -{{ tmpl.Exec "log_path" "no" }} -{{- end}} - -# Listen on the default port (typically 514) for JUNIPER_NSM_IDP traffic -{{ tmpl.Exec "log_path" "yes" }} diff --git a/package/etc/conf.d/log_paths/p_rfc3164-microfocus_arcsight.conf.tmpl b/package/etc/conf.d/log_paths/lp-microfocus_arcsight.conf.tmpl similarity index 84% rename from package/etc/conf.d/log_paths/p_rfc3164-microfocus_arcsight.conf.tmpl rename to package/etc/conf.d/log_paths/lp-microfocus_arcsight.conf.tmpl index 8a5a386..6f22c7b 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-microfocus_arcsight.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-microfocus_arcsight.conf.tmpl @@ -33,17 +33,24 @@ parser p_microfocus_arcsight_source { default-selector("unknown") ); }; -{{- /* The following is an inline template to generate the actual log path */}} -{{ define "log_path" }} + log { -{{- if eq (.) "yes"}} - source(s_DEFAULT); - filter(f_is_rfc3164); - filter(f_microfocus_arcsight); -{{- end}} -{{- if eq (.) "no"}} - source (s_MICROFOCUS_ARCSIGHT); + junction { +{{- if or (or (getenv (print "SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TCP_PORT")) (getenv (print "SC4S_LISTEN_MICROFOCUS_ARCSIGHT_UDP_PORT"))) (getenv (print "SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TLS_PORT")) }} + channel { + # Listen on the specified dedicated port(s) for MICROFOCUS_ARCSIGHT traffic + source (s_MICROFOCUS_ARCSIGHT); + flags (final); + }; {{- end}} + channel { + # Listen on the default port (typically 514) for MICROFOCUS_ARCSIGHT traffic + source (s_DEFAULT); + filter(f_is_rfc3164); + filter(f_microfocus_arcsight); + flags(final); + }; + }; rewrite { set("microfocus_arcsight", value("fields.sc4s_vendor_product")); @@ -82,14 +89,4 @@ log { {{- end}} flags(flow-control,final); - }; -{{- end}} - -{{- if or (or (getenv (print "SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TCP_PORT")) (getenv (print "SC4S_LISTEN_MICROFOCUS_ARCSIGHT_UDP_PORT"))) (getenv (print "SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TLS_PORT")) }} -# Listen on the specified dedicated port(s) for MICROFOCUS_ARCSIGHT traffic - {{tmpl.Exec "log_path" "no" }} -{{- end}} - -# Listen on the default port (typically 514) for MICROFOCUS_ARCSIGHT traffic -{{tmpl.Exec "log_path" "yes" }} diff --git a/package/etc/conf.d/log_paths/p_rfc3164-paloalto_panos.conf.tmpl b/package/etc/conf.d/log_paths/lp-paloalto_panos.conf.tmpl similarity index 88% rename from package/etc/conf.d/log_paths/p_rfc3164-paloalto_panos.conf.tmpl rename to package/etc/conf.d/log_paths/lp-paloalto_panos.conf.tmpl index 6f5cb7f..72b68a6 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-paloalto_panos.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-paloalto_panos.conf.tmpl @@ -3,17 +3,23 @@ {{- $context := dict "port_id" "PALOALTO_PANOS" "parser" "common" }} {{- tmpl.Exec "t/source_network.t" $context }} -{{- /* The following is an inline template to generate the actual log path */}} -{{- define "log_path"}} log { -{{- if eq (.) "yes"}} - source(s_DEFAULT); - filter(f_is_palalto_format); - filter(f_paloalto_panos); -{{- end}} -{{- if eq (.) "no"}} - source (s_PALOALTO_PANOS); + junction { +{{- if or (or (getenv (print "SC4S_LISTEN_PALOALTO_PANOS_TCP_PORT")) (getenv (print "SC4S_LISTEN_PALOALTO_PANOS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_PALOALTO_PANOS_TLS_PORT")) }} + channel { + # Listen on the specified dedicated port(s) for PALOALTO_PANOS traffic + source (s_PALOALTO_PANOS); + flags (final); + }; {{- end}} + channel { + # Listen on the default port (typically 514) for PALOALTO_PANOS traffic + source (s_DEFAULT); + filter(f_is_palalto_format); + filter(f_paloalto_panos); + flags(final); + }; + }; # The palo message does not include a program value in the header, unfortunately. # The use of colon in the message tricks the RFC3164 parser; We will re-write the message @@ -89,12 +95,3 @@ log { flags(flow-control,final); }; -{{- end}} - -{{- if or (or (getenv (print "SC4S_LISTEN_PALOALTO_PANOS_TCP_PORT")) (getenv (print "SC4S_LISTEN_PALOALTO_PANOS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_PALOALTO_PANOS_TLS_PORT")) }} -# Listen on the specified dedicated port(s) for PALOALTO_PANOS traffic -{{ tmpl.Exec "log_path" "no" }} -{{- end}} - -# Listen on the default port (typically 514) for PALOALTO_PANOS traffic -{{ tmpl.Exec "log_path" "yes" }} diff --git a/package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps.conf.tmpl b/package/etc/conf.d/log_paths/lp-proofpoint_pps.conf.tmpl similarity index 74% rename from package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps.conf.tmpl rename to package/etc/conf.d/log_paths/lp-proofpoint_pps.conf.tmpl index d17a226..e73ada4 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-proofpoint_pps.conf.tmpl @@ -3,16 +3,22 @@ {{- $context := dict "port_id" "PROOFPOINT_PPS" "parser" "common" }} {{- tmpl.Exec "t/source_network.t" $context }} -{{- /* The following is an inline template to generate the actual log path */}} -{{- define "log_path"}} log { -{{- if eq (.) "yes" }} - source(s_DEFAULT); - filter { filter(f_proofpoint_pps_filter) or filter(f_proofpoint_pps_sendmail) }; -{{- end }} -{{- if eq (.) "no" }} - source (s_PROOFPOINT_PPS); -{{- end }} + junction { +{{- if or (or (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_TCP_PORT")) (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_TLS_PORT")) }} + channel { + # Listen on the specified dedicated port(s) for PROOFPOINT_PPS traffic + source (s_PROOFPOINT_PPS); + flags (final); + }; +{{- end}} + channel { + # Listen on the default port (typically 514) for PROOFPOINT_PPS traffic + source (s_DEFAULT); + filter { filter(f_proofpoint_pps_filter) or filter(f_proofpoint_pps_sendmail) }; + flags(final); + }; + }; if (filter(f_proofpoint_pps_filter)) { rewrite { @@ -40,12 +46,3 @@ log { flags(flow-control,final); }; -{{- end}} - -{{- if or (or (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_TCP_PORT")) (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_TLS_PORT")) }} -# Listen on the specified dedicated port(s) for PROOFPOINT_PPS traffic -{{ tmpl.Exec "log_path" "no" }} -{{- end}} - -# Listen on the default port (typically 514) for PROOFPOINT_PPS traffic -{{ tmpl.Exec "log_path" "yes" }} diff --git a/package/etc/conf.d/log_paths/internal.conf.tmpl b/package/etc/conf.d/log_paths/lp-sc4s_internal.conf.tmpl similarity index 96% rename from package/etc/conf.d/log_paths/internal.conf.tmpl rename to package/etc/conf.d/log_paths/lp-sc4s_internal.conf.tmpl index 15ea441..0756b20 100644 --- a/package/etc/conf.d/log_paths/internal.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-sc4s_internal.conf.tmpl @@ -1,4 +1,3 @@ -{{- define "log_path"}} log { source(s_internal); @@ -36,6 +35,4 @@ log { }; flags(flow-control,final); - }; -{{- end}} -{{- tmpl.Exec "log_path" "yes" }} +}; diff --git a/package/etc/conf.d/log_paths/startup.conf.tmpl b/package/etc/conf.d/log_paths/lp-sc4s_startup.conf.tmpl similarity index 93% rename from package/etc/conf.d/log_paths/startup.conf.tmpl rename to package/etc/conf.d/log_paths/lp-sc4s_startup.conf.tmpl index 8153c55..c6607be 100644 --- a/package/etc/conf.d/log_paths/startup.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-sc4s_startup.conf.tmpl @@ -1,6 +1,5 @@ # Startup events -{{- define "log_path"}} log { source(s_startup_out); @@ -32,6 +31,4 @@ log { {{- end}} flags(flow-control,final); - }; -{{- end}} -{{- tmpl.Exec "log_path" "yes" }} +}; diff --git a/package/etc/conf.d/log_paths/p_rfc3164-symantec_brightmail.conf.tmpl b/package/etc/conf.d/log_paths/lp-symantec_brightmail.conf.tmpl similarity index 83% rename from package/etc/conf.d/log_paths/p_rfc3164-symantec_brightmail.conf.tmpl rename to package/etc/conf.d/log_paths/lp-symantec_brightmail.conf.tmpl index 04ab7d1..8033b87 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-symantec_brightmail.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-symantec_brightmail.conf.tmpl @@ -27,17 +27,23 @@ parser symantec_brightmail_grouping { {{- $context := dict "port_id" "SYMANTEC_BRIGHTMAIL" "parser" "common" }} {{- tmpl.Exec "t/source_network.t" $context }} -{{- /* The following is an inline template to generate the actual log path */}} -{{- define "log_path"}} log { -{{- if eq (.) "yes" }} - source(s_DEFAULT); - filter(f_is_rfc3164); - filter(f_symantec_brightmail); -{{- end }} -{{- if eq (.) "no" }} - source (s_SYMANTEC_BRIGHTMAIL); -{{- end }} + junction { +{{- if or (or (getenv (print "SC4S_LISTEN_SYMANTEC_BRIGHTMAIL_TCP_PORT")) (getenv (print "SC4S_LISTEN_SYMANTEC_BRIGHTMAIL_UDP_PORT"))) (getenv (print "SC4S_LISTEN_SYMANTEC_BRIGHTMAIL_TLS_PORT")) }} + channel { + # Listen on the specified dedicated port(s) for SYMANTEC_BRIGHTMAIL traffic + source (s_SYMANTEC_BRIGHTMAIL); + flags (final); + }; +{{- end}} + channel { + # Listen on the default port (typically 514) for SYMANTEC_BRIGHTMAIL traffic + source (s_DEFAULT); + filter(f_is_rfc3164); + filter(f_symantec_brightmail); + flags(final); + }; + }; {{- if (conv.ToBool (getenv "SC4S_SOURCE_FF_SYMANTEC_BRIGHTMAIL_GROUPMSG" "yes")) }} if { @@ -89,12 +95,3 @@ log { flags(flow-control,final); }; -{{- end}} - -{{- if or (or (getenv (print "SC4S_LISTEN_SYMANTEC_BRIGHTMAIL_TCP_PORT")) (getenv (print "SC4S_LISTEN_SYMANTEC_BRIGHTMAIL_UDP_PORT"))) (getenv (print "SC4S_SYMANTEC_BRIGHTMAIL_NSS_TLS_PORT")) }} -# Listen on the specified dedicated port(s) for SYMANTEC_BRIGHTMAIL traffic -{{ tmpl.Exec "log_path" "no" }} -{{- end}} - -# Listen on the default port (typically 514) for SYMANTEC_BRIGHTMAIL traffic -{{ tmpl.Exec "log_path" "yes" }} diff --git a/package/etc/conf.d/log_paths/p_rfc5424-noversion_symantec_proxy.conf.tmpl b/package/etc/conf.d/log_paths/lp-symantec_proxy.conf.tmpl similarity index 69% rename from package/etc/conf.d/log_paths/p_rfc5424-noversion_symantec_proxy.conf.tmpl rename to package/etc/conf.d/log_paths/lp-symantec_proxy.conf.tmpl index 64584fd..6ec7134 100644 --- a/package/etc/conf.d/log_paths/p_rfc5424-noversion_symantec_proxy.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-symantec_proxy.conf.tmpl @@ -3,17 +3,23 @@ {{- $context := dict "port_id" "SYMANTEC_PROXY" "parser" "common" }} {{- tmpl.Exec "t/source_network.t" $context }} -{{- /* The following is an inline template to generate the actual log path */}} -{{- define "log_path"}} log { -{{- if eq (.) "yes"}} - source(s_DEFAULT); - filter(f_is_rfc5424_noversion); - filter(f_symantec_bluecoat_proxy); -{{- end}} -{{- if eq (.) "no"}} - source (s_SYMANTEC_PROXY); + junction { +{{- if or (or (getenv (print "SC4S_LISTEN_SYMANTEC_PROXY_TCP_PORT")) (getenv (print "SC4S_LISTEN_SYMANTEC_PROXY_UDP_PORT"))) (getenv (print "SC4S_LISTEN_SYMANTEC_PROXY_TLS_PORT")) }} + channel { + # Listen on the specified dedicated port(s) for SYMANTEC_PROXY traffic + source (s_SYMANTEC_PROXY); + flags (final); + }; {{- end}} + channel { + # Listen on the default port (typically 514) for SYMANTEC_PROXY traffic + source (s_DEFAULT); + filter(f_is_rfc5424_noversion); + filter(f_symantec_bluecoat_proxy); + flags(final); + }; + }; rewrite { set("bluecoat_proxy", value("fields.sc4s_vendor_product")); @@ -34,12 +40,3 @@ log { flags(flow-control,final); }; -{{- end}} - -{{- if or (or (getenv (print "SC4S_LISTEN_SYMANTEC_PROXY_TCP_PORT")) (getenv (print "SC4S_LISTEN_SYMANTEC_PROXY_UDP_PORT"))) (getenv (print "SC4S_LISTEN_SYMANTEC_PROXY_TLS_PORT")) }} -# Listen on the specified dedicated port(s) for SYMANTEC_PROXY traffic -{{ tmpl.Exec "log_path" "no" }} -{{- end}} - -# Listen on the default port (typically 514) for SYMANTEC_PROXY traffic -{{ tmpl.Exec "log_path" "yes" }} diff --git a/package/etc/conf.d/log_paths/p_rfc3164-ubiquiti_unifi.conf.tmpl b/package/etc/conf.d/log_paths/lp-ubiquiti_unifi.conf.tmpl similarity index 91% rename from package/etc/conf.d/log_paths/p_rfc3164-ubiquiti_unifi.conf.tmpl rename to package/etc/conf.d/log_paths/lp-ubiquiti_unifi.conf.tmpl index a8b891b..903f51b 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-ubiquiti_unifi.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-ubiquiti_unifi.conf.tmpl @@ -3,17 +3,23 @@ {{- $context := dict "port_id" "UBIQUITI_UNIFI" "parser" "common" }} {{- tmpl.Exec "t/source_network.t" $context }} -{{- /* The following is an inline template to generate the actual log path */}} -{{- define "log_path"}} log { -{{- if eq (.) "yes"}} - source(s_DEFAULT); - filter(f_is_rfc3164); - filter(f_ubiquiti_unifi); -{{- end}} -{{- if eq (.) "no"}} - source (s_UBIQUITI_UNIFI); + junction { +{{- if or (or (getenv (print "SC4S_LISTEN_UBIQUITI_UNIFI_TCP_PORT")) (getenv (print "SC4S_LISTEN_UBIQUITI_UNIFI_UDP_PORT"))) (getenv (print "SC4S_LISTEN_UBIQUITI_UNIFI_TLS_PORT")) }} + channel { + # Listen on the specified dedicated port(s) for UBIQUITI_UNIFI traffic + source (s_UBIQUITI_UNIFI); + flags (final); + }; {{- end}} + channel { + # Listen on the default port (typically 514) for UBIQUITI_UNIFI traffic + source (s_DEFAULT); + filter(f_is_rfc3164); + filter(f_ubiquiti_unifi); + flags(final); + }; + }; parser {p_add_context_splunk(key("ubiquiti_unifi")); }; @@ -119,14 +125,4 @@ log { {{- end}} flags(flow-control,final); - }; -{{- end}} - -{{- if or (or (getenv (print "SC4S_LISTEN_UBIQUITI_UNIFI_TCP_PORT")) (getenv (print "SC4S_LISTEN_UBIQUITI_UNIFI_UDP_PORT"))) (getenv (print "SC4S_LISTEN_UBIQUITI_UNIFI_TLS_PORT")) }} -# Listen on the specified dedicated port(s) for UBIQUITI_UNIFI traffic -{{tmpl.Exec "log_path" "no" }} -{{- end}} - -# Listen on the default port (typically 514) for UBIQUITI_UNIFI traffic -{{tmpl.Exec "log_path" "yes" }} \ No newline at end of file diff --git a/package/etc/conf.d/log_paths/p_vmware_vsphere.conf.tmpl b/package/etc/conf.d/log_paths/lp-vmware_vsphere.conf.tmpl similarity index 81% rename from package/etc/conf.d/log_paths/p_vmware_vsphere.conf.tmpl rename to package/etc/conf.d/log_paths/lp-vmware_vsphere.conf.tmpl index 171fccc..877eb18 100644 --- a/package/etc/conf.d/log_paths/p_vmware_vsphere.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-vmware_vsphere.conf.tmpl @@ -1,18 +1,24 @@ # VMware ESXi and NSX {{- /* The following provides a unique port source configuration if env var(s) are set */}} -{{- $context := dict "port_id" "VMWARE" "parser" "common" }} +{{- $context := dict "port_id" "VMWARE_VSPHERE" "parser" "common" }} {{- tmpl.Exec "t/source_network.t" $context }} -{{- /* The following is an inline template to generate the actual log path */}} -{{- define "log_path"}} log { -{{- if eq (.) "yes"}} - source(s_DEFAULT); - filter(f_vmware_all); -{{- end}} -{{- if eq (.) "no"}} - source (s_VMWARE); + junction { +{{- if or (or (getenv (print "SC4S_LISTEN_VMWARE_VSPHERE_TCP_PORT")) (getenv (print "SC4S_LISTEN_VMWARE_VSPHERE_UDP_PORT"))) (getenv (print "SC4S_LISTEN_VMWARE_VSPHERE_TLS_PORT")) }} + channel { + # Listen on the specified dedicated port(s) for VMWARE_VSPHERE traffic + source (s_VMWARE_VSPHERE); + flags (final); + }; {{- end}} + channel { + # Listen on the default port (typically 514) for VMWARE_VSPHERE traffic + source (s_DEFAULT); + filter(f_vmware_all); + flags(final); + }; + }; #NSX first because its the cheapest check if { @@ -83,21 +89,13 @@ log { rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); }; }; -{{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_VMWARE_HEC" "no")) }} +{{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_VMWARE_VSPHERE_HEC" "no")) }} destination(d_hec); {{- end}} -{{- if or (conv.ToBool (getenv "SC4S_ARCHIVE_GLOBAL" "no")) (conv.ToBool (getenv "SC4S_ARCHIVE_VMWARE" "no")) }} +{{- if or (conv.ToBool (getenv "SC4S_ARCHIVE_GLOBAL" "no")) (conv.ToBool (getenv "SC4S_ARCHIVE_VMWARE_VSPHERE" "no")) }} destination(d_archive); {{- end}} flags(flow-control,final); }; -{{- end}} -{{- if or (or (getenv (print "SC4S_LISTEN_VMWARE_TCP_PORT")) (getenv (print "SC4S_LISTEN_VMWARE_UDP_PORT"))) (getenv (print "SC4S_LISTEN_VMWARE_TLS_PORT")) }} -# Listen on the specified dedicated port(s) for VMWARE traffic -{{ tmpl.Exec "log_path" "no" }} -{{- end}} - -# Listen on the default port (typically 514) for VMWARE traffic -{{ tmpl.Exec "log_path" "yes" }} diff --git a/package/etc/conf.d/log_paths/p_rfc3164-zscaler_nss.conf.tmpl b/package/etc/conf.d/log_paths/lp-zscaler_nss.conf.tmpl similarity index 88% rename from package/etc/conf.d/log_paths/p_rfc3164-zscaler_nss.conf.tmpl rename to package/etc/conf.d/log_paths/lp-zscaler_nss.conf.tmpl index 27f682e..29c0717 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-zscaler_nss.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-zscaler_nss.conf.tmpl @@ -3,16 +3,22 @@ {{- $context := dict "port_id" "ZSCALER_NSS" "parser" "common" }} {{- tmpl.Exec "t/source_network.t" $context }} -{{- /* The following is an inline template to generate the actual log path */}} -{{- define "log_path"}} log { -{{- if eq (.) "yes" }} - source(s_DEFAULT); - filter(f_zscaler_nss); -{{- end }} -{{- if eq (.) "no" }} - source (s_ZSCALER_NSS); -{{- end }} + junction { +{{- if or (or (getenv (print "SC4S_LISTEN_ZSCALER_NSS_TCP_PORT")) (getenv (print "SC4S_LISTEN_ZSCALER_NSS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_ZSCALER_NSS_TLS_PORT")) }} + channel { + # Listen on the specified dedicated port(s) for ZSCALER_NSS traffic + source (s_ZSCALER_NSS); + flags (final); + }; +{{- end}} + channel { + # Listen on the default port (typically 514) for ZSCALER_NSS traffic + source (s_DEFAULT); + filter(f_zscaler_nss); + flags(final); + }; + }; parser { date-parser(format("%Y-%m-%d %H:%M:%S") template('$(substr "$LEGACY_MSGHDR$MSG" "0" "19")')); }; rewrite { @@ -74,12 +80,3 @@ log { flags(flow-control,final); }; -{{- end}} - -{{- if or (or (getenv (print "SC4S_LISTEN_ZSCALER_NSS_TCP_PORT")) (getenv (print "SC4S_LISTEN_ZSCALER_NSS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_ZSCALER_NSS_TLS_PORT")) }} -# Listen on the specified dedicated port(s) for ZSCALER_NSS traffic -{{ tmpl.Exec "log_path" "no" }} -{{- end}} - -# Listen on the default port (typically 514) for ZSCALER_NSS traffic -{{ tmpl.Exec "log_path" "yes" }} diff --git a/package/etc/conf.d/log_paths/p_za_nix_syslog.conf.tmpl b/package/etc/conf.d/log_paths/lp-zzy-nix_syslog.conf.tmpl similarity index 72% rename from package/etc/conf.d/log_paths/p_za_nix_syslog.conf.tmpl rename to package/etc/conf.d/log_paths/lp-zzy-nix_syslog.conf.tmpl index e1911f7..008a3f6 100644 --- a/package/etc/conf.d/log_paths/p_za_nix_syslog.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-zzy-nix_syslog.conf.tmpl @@ -3,16 +3,22 @@ {{- $context := dict "port_id" "NIX_SYSLOG" "parser" "common" }} {{- tmpl.Exec "t/source_network.t" $context }} -{{- /* The following is an inline template to generate the actual log path */}} -{{- define "log_path"}} log { -{{- if eq (.) "yes" }} - source(s_DEFAULT); - filter(f_nix_syslog); -{{- end }} -{{- if eq (.) "no" }} - source (s_NIX_SYSLOG); -{{- end }} + junction { +{{- if or (or (getenv (print "SC4S_LISTEN_NIX_SYSLOG_TCP_PORT")) (getenv (print "SC4S_LISTEN_NIX_SYSLOG_UDP_PORT"))) (getenv (print "SC4S_LISTEN_NIX_SYSLOG_TLS_PORT")) }} + channel { + # Listen on the specified dedicated port(s) for NIX_SYSLOG traffic + source (s_NIX_SYSLOG); + flags (final); + }; +{{- end}} + channel { + # Listen on the default port (typically 514) for NIX_SYSLOG traffic + source (s_DEFAULT); + filter(f_nix_syslog); + flags(final); + }; + }; rewrite { set("nix_syslog", value("fields.sc4s_vendor_product")); @@ -36,12 +42,3 @@ log { flags(flow-control,final); }; -{{- end}} - -{{- if or (or (getenv (print "SC4S_LISTEN_NIX_SYSLOG_TCP_PORT")) (getenv (print "SC4S_LISTEN_NIX_SYSLOG_UDP_PORT"))) (getenv (print "SC4S_NIX_SYSLOG_NSS_TLS_PORT")) }} -# Listen on the specified dedicated port(s) for NIX_SYSLOG traffic -{{ tmpl.Exec "log_path" "no" }} -{{- end}} - -# Listen on the default port (typically 514) for NIX_SYSLOG traffic -{{ tmpl.Exec "log_path" "yes" }} diff --git a/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl b/package/etc/conf.d/log_paths/lp-zzz-fallback.conf.tmpl similarity index 99% rename from package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl rename to package/etc/conf.d/log_paths/lp-zzz-fallback.conf.tmpl index d2057c2..1298c67 100644 --- a/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-zzz-fallback.conf.tmpl @@ -29,5 +29,4 @@ log { {{- end}} flags(flow-control,fallback); - }; \ No newline at end of file diff --git a/package/etc/local_config/log_paths/example.conf.tmpl b/package/etc/local_config/log_paths/lp-example.conf.tmpl similarity index 81% rename from package/etc/local_config/log_paths/example.conf.tmpl rename to package/etc/local_config/log_paths/lp-example.conf.tmpl index 516f954..708bc7c 100644 --- a/package/etc/local_config/log_paths/example.conf.tmpl +++ b/package/etc/local_config/log_paths/lp-example.conf.tmpl @@ -29,24 +29,23 @@ {{- $context := dict "port_id" "LOCAL_EXAMPLE" "parser" "common" }} {{- tmpl.Exec "t/source_network.t" $context }} -{{- /* The following is an inline template to generate the actual log path */}} -{{- define "log_path"}} log { - -{{- /* The first time this template is used the log_path will be linked to the default port */}} - -{{- if eq (.) "yes"}} - source(s_DEFAULT); - filter(f_is_rfc3164); - filter(f_local_example); -{{- end}} - -{{- /* In the second pass through the template a link to the dedicated port is used. This */}} -{{- /* normally does not require additional filters */}} - -{{- if eq (.) "no"}} - source (s_LOCAL_EXAMPLE); + junction { +{{- if or (or (getenv (print "SC4S_LISTEN_LOCAL_EXAMPLE_TCP_PORT")) (getenv (print "SC4S_LISTEN_LOCAL_EXAMPLE_UDP_PORT"))) (getenv (print "SC4S_LISTEN_LOCAL_EXAMPLE_TLS_PORT")) }} + channel { + # Listen on the specified dedicated port(s) for LOCAL_EXAMPLE traffic + source (s_LOCAL_EXAMPLE); + flags (final); + }; {{- end}} + channel { + # Listen on the default port (typically 514) for LOCAL_EXAMPLE traffic + source (s_DEFAULT); + filter(f_is_rfc3164); + filter(f_local_example); + flags(final); + }; + }; # Set a default sourcetype and index, as well as an appropriate value for the field # "sc4s_vendor_product". This field is sent as an indexed field to Splunk, @@ -86,16 +85,4 @@ log { # All passes through any matching log path will be final flags(flow-control,final); -}; -{{- end}} - -{{- /* Prepare to run two passes through this template, one for default traffic and another for */}} -{{- /* "unique ports" if they are configured. */}} - -{{- if or (or (getenv (print "SC4S_LISTEN_LOCAL_EXAMPLE_TCP_PORT")) (getenv (print "SC4S_LISTEN_LOCAL_EXAMPLE_UDP_PORT"))) (getenv (print "SC4S_LISTEN_LOCAL_EXAMPLE_TLS_PORT")) }} -# Listen on the specified dedicated port(s) for LOCAL_EXAMPLE traffic -{{ tmpl.Exec "log_path" "no" }} -{{- end }} - -# Listen on the default port (typically 514) for LOCAL_EXAMPLE traffic -{{ tmpl.Exec "log_path" "yes" }} \ No newline at end of file +}; \ No newline at end of file From c9c43a156e7ee5c47984233ea2f12eabb94a017d Mon Sep 17 00:00:00 2001 From: Ryan Faircloth <35384120+rfaircloth-splunk@users.noreply.github.com> Date: Mon, 20 Jan 2020 10:20:44 -0800 Subject: [PATCH 4/9] Update config.yml --- .circleci/config.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index a455417..f86b388 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -8,7 +8,7 @@ #work. If not, see . version: 2.1 orbs: - docker: circleci/docker@0.5.13 + docker: circleci/docker@0.5.20 go: circleci/go@0.2.0 snyk: snyk/snyk@0.0.8 versioning: kollex/versioning@1.0.0 @@ -418,4 +418,4 @@ workflows: tags: only: /^\d*\.\d*\.\d*.*$/ branches: - ignore: /.*/ \ No newline at end of file + ignore: /.*/ From 6547d20533fe20825bf19c8afca716917cc6bb97 Mon Sep 17 00:00:00 2001 From: Ryan Faircloth <35384120+rfaircloth-splunk@users.noreply.github.com> Date: Mon, 20 Jan 2020 10:33:11 -0800 Subject: [PATCH 5/9] Update config.yml --- .circleci/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index f86b388..cd3430b 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -30,7 +30,7 @@ jobs: - versioning/create_version_file: version_file_path: /tmp/workspace/VERSION - - docker/install-docker + #- docker/install-docker - docker/check: registry: $REGISTRY docker-username: GITHUB_USER From 9ae33b5a10a375be7e9c5bdc7ce6dc8e1f26719c Mon Sep 17 00:00:00 2001 From: Ryan Faircloth <35384120+rfaircloth-splunk@users.noreply.github.com> Date: Mon, 20 Jan 2020 10:37:20 -0800 Subject: [PATCH 6/9] Update config.yml --- .circleci/config.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index cd3430b..d13a074 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -30,7 +30,7 @@ jobs: - versioning/create_version_file: version_file_path: /tmp/workspace/VERSION - #- docker/install-docker + - docker/install-docker - docker/check: registry: $REGISTRY docker-username: GITHUB_USER @@ -94,7 +94,7 @@ jobs: - run: git submodule sync - run: git submodule update --init --recursive - - docker/install-docker-tools + #- docker/install-docker-tools - docker/check: registry: $REGISTRY docker-username: GITHUB_USER From 03aff7d3052bc08ac4c5a5000f1e0c655a70d3da Mon Sep 17 00:00:00 2001 From: mbonsack Date: Mon, 20 Jan 2020 11:19:53 -0800 Subject: [PATCH 7/9] Change to 3000ms to allow for fuller batches * Change to 3000ms to allow for fuller batches; preference is for full batches over latency --- package/etc/conf.d/destinations/splunk_hec.conf.tmpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/etc/conf.d/destinations/splunk_hec.conf.tmpl b/package/etc/conf.d/destinations/splunk_hec.conf.tmpl index a67c802..eb19250 100644 --- a/package/etc/conf.d/destinations/splunk_hec.conf.tmpl +++ b/package/etc/conf.d/destinations/splunk_hec.conf.tmpl @@ -6,7 +6,7 @@ destination d_hec { workers({{- getenv "SC4S_DEST_SPLUNK_HEC_WORKERS" "10"}}) batch-lines({{- getenv "SC4S_DEST_SPLUNK_HEC_BATCH_LINES" "1000"}}) batch-bytes({{- getenv "SC4S_DEST_SPLUNK_HEC_BATCH_BYTES" "4096kb"}}) - batch-timeout({{- getenv "SC4S_DEST_SPLUNK_HEC_BATCH_TIMEOUT" "1000"}}) + batch-timeout({{- getenv "SC4S_DEST_SPLUNK_HEC_BATCH_TIMEOUT" "3000"}}) timeout({{- getenv "SC4S_DEST_SPLUNK_HEC_TIMEOUT" "30"}}) user_agent("sc4s/1.0 (events)") user("sc4s") @@ -45,4 +45,4 @@ destination d_hec { event="$MSG" fields.*)') ); -}; \ No newline at end of file +}; From c890d6ae9f72d3db83feced5529834befa98819d Mon Sep 17 00:00:00 2001 From: Mark Bonsack Date: Mon, 20 Jan 2020 21:30:43 -0800 Subject: [PATCH 8/9] Update network source template/log path unique port parsers * Cisco ACS: Replace "CISCO_NX_OS" with "CISCO_ACS" in environment variables * Log Paths: specify unique port gomplate dict parser value for network source template (replace "common" with appropriate value) * Network Source Template: reorder "soup" parser tree * Network Source Template: Add `guess-timezone` flag for direct rfc3164 parser * Network Source Template: Comment out format tests in direct parser entries * Rename Meraki log path (remove "epoch" prefix) * Vmware vsphere filter: minor format change * syslog_format.conf: Remove unused "epochtime" filters * docker-compose.yml: Add listen ports to test unique port gomplate templating code --- docker-compose.yml | 7 +++- .../conf.d/conflib/_common/syslog_format.conf | 6 --- .../etc/conf.d/filters/VMware/vsphere.conf | 3 +- .../log_paths/lp-checkpoint_splunk.conf.tmpl | 2 +- .../conf.d/log_paths/lp-cisco_acs.conf.tmpl | 10 ++--- .../conf.d/log_paths/lp-cisco_asa.conf.tmpl | 2 +- .../log_paths/lp-cisco_asa_legacy.conf.tmpl | 2 +- .../conf.d/log_paths/lp-cisco_ios.conf.tmpl | 2 +- .../conf.d/log_paths/lp-cisco_ise.conf.tmpl | 2 +- ...ki.conf.tmpl => lp-cisco_meraki.conf.tmpl} | 2 +- .../conf.d/log_paths/lp-cisco_nxos.conf.tmpl | 2 +- .../lp-forcepoint_webprotect.conf.tmpl | 2 +- .../log_paths/lp-fortinet_fortios.conf.tmpl | 2 +- .../conf.d/log_paths/lp-infoblox.conf.tmpl | 2 +- .../conf.d/log_paths/lp-juniper_idp.conf.tmpl | 2 +- .../log_paths/lp-juniper_junos.conf.tmpl | 2 +- .../lp-juniper_junos_structured.conf.tmpl | 2 +- .../log_paths/lp-juniper_netscreen.conf.tmpl | 2 +- .../conf.d/log_paths/lp-juniper_nsm.conf.tmpl | 2 +- .../log_paths/lp-juniper_nsm_idp.conf.tmpl | 2 +- .../lp-microfocus_arcsight.conf.tmpl | 2 +- .../log_paths/lp-paloalto_panos.conf.tmpl | 2 +- .../log_paths/lp-proofpoint_pps.conf.tmpl | 2 +- .../lp-symantec_brightmail.conf.tmpl | 2 +- .../log_paths/lp-symantec_proxy.conf.tmpl | 2 +- .../log_paths/lp-ubiquiti_unifi.conf.tmpl | 2 +- .../conf.d/log_paths/lp-zscaler_nss.conf.tmpl | 2 +- .../log_paths/lp-zzy-nix_syslog.conf.tmpl | 2 +- package/etc/go_templates/source_network.t | 40 +++++++++++-------- 29 files changed, 60 insertions(+), 54 deletions(-) rename package/etc/conf.d/log_paths/{lp-epoch-cisco_meraki.conf.tmpl => lp-cisco_meraki.conf.tmpl} (94%) diff --git a/docker-compose.yml b/docker-compose.yml index 3e3bc3d..3d936bc 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -48,8 +48,11 @@ services: # - SC4S_LISTEN_DEFAULT_UDP_PORT=514 # - SC4S_LISTEN_DEFAULT_TLS_PORT=6514 - SC4S_LISTEN_JUNIPER_NETSCREEN_TCP_PORT=5000 - - SC4S_LISTEN_CHECKPOINT_SPLUNK_TCP_PORT=6000 -# - SC4S_ARCHIVE_CHECKPOINT=yes + - SC4S_LISTEN_CISCO_ASA_TCP_PORT=5001 + - SC4S_LISTEN_CISCO_IOS_TCP_PORT=5002 + - SC4S_LISTEN_CISCO_MERAKI_TCP_PORT=5003 + - SC4S_LISTEN_JUNIPER_IDP_TCP_PORT=5004 + - SC4S_LISTEN_PALOALTO_PANOS_TCP_PORT=5005 - SC4S_ARCHIVE_GLOBAL=yes volumes: - ./tls:/opt/syslog-ng/tls diff --git a/package/etc/conf.d/conflib/_common/syslog_format.conf b/package/etc/conf.d/conflib/_common/syslog_format.conf index b8802a7..0c9fc2f 100644 --- a/package/etc/conf.d/conflib/_common/syslog_format.conf +++ b/package/etc/conf.d/conflib/_common/syslog_format.conf @@ -4,9 +4,6 @@ filter f_rfc5424_strict{ filter f_rfc5424_noversion{ message('^(?(?
(?<\d{1,3}>) ?(?(?(?\d{4})-(?\d\d)-(?\d\d))T(?(?(?[0-2]\d):(?[0-5]\d):(?[0-5]\d)(?:.(?\d{1,6}))?)(?Z|(?[+\-][0-2]\d:[0-5]\d))))))'); }; -filter f_rfc5424_epochtime{ - message('^(?(?
(?<\d{1,3}>)(?[1-9][0-9]?) (?(?\d{10})(?:.(?\d{1,9})?)) (?[^ ]+) ))'); -}; filter f_rfc3164_version{ message('^(?(?
(?<\d{1,3}>)(?[1-9][0-9]?) (?[A-Za-z]{3} \d\d \d\d:\d\d:\d\d) (?[^ ]+) ))'); }; @@ -28,9 +25,6 @@ filter f_is_rfc5424_noversion{ rewrite set_rfc5424_epochtime{ set("rfc5424_epochtime" value("fields.sc4s_syslog_format")); }; -filter f_is_rfc5424_epochtime{ - match("rfc5424_epochtime" value("fields.sc4s_syslog_format")) -}; rewrite set_rfc3164_version{ set("rfc3164_version" value("fields.sc4s_syslog_format")); }; diff --git a/package/etc/conf.d/filters/VMware/vsphere.conf b/package/etc/conf.d/filters/VMware/vsphere.conf index 624c6e0..a2378aa 100644 --- a/package/etc/conf.d/filters/VMware/vsphere.conf +++ b/package/etc/conf.d/filters/VMware/vsphere.conf @@ -23,7 +23,8 @@ filter f_vmware_all { or program("NSX", flags(ignore-case)) or program("NSXV", flags(ignore-case)) or program("dfwpktlogs", flags(ignore-case)) - or program("nsx-.*", flags(ignore-case))}; + or program("nsx-.*", flags(ignore-case)) +}; filter f_vmware_vsphere { program("cimslp", flags(ignore-case)) diff --git a/package/etc/conf.d/log_paths/lp-checkpoint_splunk.conf.tmpl b/package/etc/conf.d/log_paths/lp-checkpoint_splunk.conf.tmpl index fcfc452..bddcbd3 100644 --- a/package/etc/conf.d/log_paths/lp-checkpoint_splunk.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-checkpoint_splunk.conf.tmpl @@ -1,6 +1,6 @@ # Checkpoint {{- /* The following provides a unique port source configuration if env var(s) are set */}} -{{- $context := dict "port_id" "CHECKPOINT_SPLUNK" "parser" "common" }} +{{- $context := dict "port_id" "CHECKPOINT_SPLUNK" "parser" "rfc3164" }} {{- tmpl.Exec "t/source_network.t" $context }} log { diff --git a/package/etc/conf.d/log_paths/lp-cisco_acs.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_acs.conf.tmpl index 9397bc0..817df0a 100644 --- a/package/etc/conf.d/log_paths/lp-cisco_acs.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_acs.conf.tmpl @@ -1,6 +1,6 @@ # Cisco ACS {{- /* The following provides a unique port source configuration if env var(s) are set */}} -{{- $context := dict "port_id" "CISCO_NX_OS" "parser" "common" }} +{{- $context := dict "port_id" "CISCO_ACS" "parser" "rfc3164" }} {{- tmpl.Exec "t/source_network.t" $context }} # This filter uses a field we set to prevent the original messages before aggregation from being @@ -49,15 +49,15 @@ parser acs_event_time { log { junction { -{{- if or (or (getenv (print "SC4S_LISTEN_CISCO_NX_OS_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_NX_OS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_NX_OS_TLS_PORT")) }} +{{- if or (or (getenv (print "SC4S_LISTEN_CISCO_ACS_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_ACS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_ACS_TLS_PORT")) }} channel { - # Listen on the specified dedicated port(s) for CISCO_NX_OS traffic - source (s_CISCO_NX_OS); + # Listen on the specified dedicated port(s) for CISCO_ACS traffic + source (s_CISCO_ACS); flags (final); }; {{- end}} channel { - # Listen on the default port (typically 514) for CISCO_NX_OS traffic + # Listen on the default port (typically 514) for CISCO_ACS traffic source (s_DEFAULT); filter(f_is_rfc3164); filter(f_cisco_acs); diff --git a/package/etc/conf.d/log_paths/lp-cisco_asa.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_asa.conf.tmpl index e09f3cf..9045821 100644 --- a/package/etc/conf.d/log_paths/lp-cisco_asa.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_asa.conf.tmpl @@ -1,6 +1,6 @@ # Cisco ASA RFC5424 {{- /* The following provides a unique port source configuration if env var(s) are set */}} -{{- $context := dict "port_id" "CISCO_ASA" "parser" "common" }} +{{- $context := dict "port_id" "CISCO_ASA" "parser" "rfc5424_noversion" }} {{- tmpl.Exec "t/source_network.t" $context }} log { diff --git a/package/etc/conf.d/log_paths/lp-cisco_asa_legacy.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_asa_legacy.conf.tmpl index b027c3d..0749e68 100644 --- a/package/etc/conf.d/log_paths/lp-cisco_asa_legacy.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_asa_legacy.conf.tmpl @@ -1,6 +1,6 @@ # Cisco ASA {{- /* The following provides a unique port source configuration if env var(s) are set */}} -{{- $context := dict "port_id" "CISCO_ASA_LEGACY" "parser" "common" }} +{{- $context := dict "port_id" "CISCO_ASA_LEGACY" "parser" "rfc3164" }} {{- tmpl.Exec "t/source_network.t" $context }} log { diff --git a/package/etc/conf.d/log_paths/lp-cisco_ios.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_ios.conf.tmpl index 63cde5e..80aae01 100644 --- a/package/etc/conf.d/log_paths/lp-cisco_ios.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_ios.conf.tmpl @@ -1,6 +1,6 @@ # Cisco IOS {{- /* The following provides a unique port source configuration if env var(s) are set */}} -{{- $context := dict "port_id" "CISCO_IOS" "parser" "common" }} +{{- $context := dict "port_id" "CISCO_IOS" "parser" "cisco_parser" }} {{- tmpl.Exec "t/source_network.t" $context }} log { diff --git a/package/etc/conf.d/log_paths/lp-cisco_ise.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_ise.conf.tmpl index 818ada8..9a5bf0f 100644 --- a/package/etc/conf.d/log_paths/lp-cisco_ise.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_ise.conf.tmpl @@ -1,6 +1,6 @@ # Cisco ISE {{- /* The following provides a unique port source configuration if env var(s) are set */}} -{{- $context := dict "port_id" "CISCO_ISE" "parser" "common" }} +{{- $context := dict "port_id" "CISCO_ISE" "parser" "rfc3164" }} {{- tmpl.Exec "t/source_network.t" $context }} # This filter uses a field we set to prevent the original messages before aggregation from being diff --git a/package/etc/conf.d/log_paths/lp-epoch-cisco_meraki.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_meraki.conf.tmpl similarity index 94% rename from package/etc/conf.d/log_paths/lp-epoch-cisco_meraki.conf.tmpl rename to package/etc/conf.d/log_paths/lp-cisco_meraki.conf.tmpl index 974ee36..c0f37ce 100644 --- a/package/etc/conf.d/log_paths/lp-epoch-cisco_meraki.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_meraki.conf.tmpl @@ -1,6 +1,6 @@ # Cisco Meraki {{- /* The following provides a unique port source configuration if env var(s) are set */}} -{{- $context := dict "port_id" "CISCO_MERAKI" "parser" "common" }} +{{- $context := dict "port_id" "CISCO_MERAKI" "parser" "cisco_meraki_parser" }} {{- tmpl.Exec "t/source_network.t" $context }} log { diff --git a/package/etc/conf.d/log_paths/lp-cisco_nxos.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_nxos.conf.tmpl index 66bbc5e..8bf2d2b 100644 --- a/package/etc/conf.d/log_paths/lp-cisco_nxos.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_nxos.conf.tmpl @@ -1,6 +1,6 @@ # Cisco NX_OS {{- /* The following provides a unique port source configuration if env var(s) are set */}} -{{- $context := dict "port_id" "CISCO_NX_OS" "parser" "common" }} +{{- $context := dict "port_id" "CISCO_NX_OS" "parser" "rfc3164" }} {{- tmpl.Exec "t/source_network.t" $context }} log { diff --git a/package/etc/conf.d/log_paths/lp-forcepoint_webprotect.conf.tmpl b/package/etc/conf.d/log_paths/lp-forcepoint_webprotect.conf.tmpl index 969a245..3b55bfa 100644 --- a/package/etc/conf.d/log_paths/lp-forcepoint_webprotect.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-forcepoint_webprotect.conf.tmpl @@ -1,6 +1,6 @@ # Forcepoint Webprotect {{- /* The following provides a unique port source configuration if env var(s) are set */}} -{{- $context := dict "port_id" "FORCEPOINT_WEBPROTECT" "parser" "common" }} +{{- $context := dict "port_id" "FORCEPOINT_WEBPROTECT" "parser" "rfc3164" }} {{- tmpl.Exec "t/source_network.t" $context }} log { diff --git a/package/etc/conf.d/log_paths/lp-fortinet_fortios.conf.tmpl b/package/etc/conf.d/log_paths/lp-fortinet_fortios.conf.tmpl index 943bb19..aba6936 100644 --- a/package/etc/conf.d/log_paths/lp-fortinet_fortios.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-fortinet_fortios.conf.tmpl @@ -1,6 +1,6 @@ # Fortinet Fortios {{- /* The following provides a unique port source configuration if env var(s) are set */}} -{{- $context := dict "port_id" "FORTINET_FORTIOS" "parser" "common" }} +{{- $context := dict "port_id" "FORTINET_FORTIOS" "parser" "rfc3164" }} {{- tmpl.Exec "t/source_network.t" $context }} log { diff --git a/package/etc/conf.d/log_paths/lp-infoblox.conf.tmpl b/package/etc/conf.d/log_paths/lp-infoblox.conf.tmpl index 991b679..8b40188 100644 --- a/package/etc/conf.d/log_paths/lp-infoblox.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-infoblox.conf.tmpl @@ -1,6 +1,6 @@ # Infoblox {{- /* The following provides a unique port source configuration if env var(s) are set */}} -{{- $context := dict "port_id" "INFOBLOX" "parser" "common" }} +{{- $context := dict "port_id" "INFOBLOX" "parser" "rfc3164" }} {{- tmpl.Exec "t/source_network.t" $context }} log { diff --git a/package/etc/conf.d/log_paths/lp-juniper_idp.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_idp.conf.tmpl index 9149f94..436963a 100644 --- a/package/etc/conf.d/log_paths/lp-juniper_idp.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-juniper_idp.conf.tmpl @@ -1,6 +1,6 @@ # Juniper IDP {{- /* The following provides a unique port source configuration if env var(s) are set */}} -{{- $context := dict "port_id" "JUNIPER_IDP" "parser" "common" }} +{{- $context := dict "port_id" "JUNIPER_IDP" "parser" "rfc5424_strict" }} {{- tmpl.Exec "t/source_network.t" $context }} log { diff --git a/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl index df12ce7..05d7e5d 100644 --- a/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl @@ -1,6 +1,6 @@ # Juniper JunOS {{- /* The following provides a unique port source configuration if env var(s) are set */}} -{{- $context := dict "port_id" "JUNIPER_JUNOS" "parser" "common" }} +{{- $context := dict "port_id" "JUNIPER_JUNOS" "parser" "rfc3164" }} {{- tmpl.Exec "t/source_network.t" $context }} log { diff --git a/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl index 5501976..d5ae714 100644 --- a/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl @@ -1,6 +1,6 @@ # Juniper JunOS (Structured, RFC5424-compliant) {{- /* The following provides a unique port source configuration if env var(s) are set */}} -{{- $context := dict "port_id" "JUNIPER_JUNOS_STRUCTURED" "parser" "common" }} +{{- $context := dict "port_id" "JUNIPER_JUNOS_STRUCTURED" "parser" "rfc5424_strict" }} {{- tmpl.Exec "t/source_network.t" $context }} log { diff --git a/package/etc/conf.d/log_paths/lp-juniper_netscreen.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_netscreen.conf.tmpl index 27cc1e3..74c40b0 100644 --- a/package/etc/conf.d/log_paths/lp-juniper_netscreen.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-juniper_netscreen.conf.tmpl @@ -1,6 +1,6 @@ # Juniper Netscreen {{- /* The following provides a unique port source configuration if env var(s) are set */}} -{{- $context := dict "port_id" "JUNIPER_NETSCREEN" "parser" "common" }} +{{- $context := dict "port_id" "JUNIPER_NETSCREEN" "parser" "rfc3164" }} {{- tmpl.Exec "t/source_network.t" $context }} log { diff --git a/package/etc/conf.d/log_paths/lp-juniper_nsm.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_nsm.conf.tmpl index ce99b6c..650b7c9 100644 --- a/package/etc/conf.d/log_paths/lp-juniper_nsm.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-juniper_nsm.conf.tmpl @@ -1,6 +1,6 @@ # Juniper NSM {{- /* The following provides a unique port source configuration if env var(s) are set */}} -{{- $context := dict "port_id" "JUNIPER_NSM" "parser" "common" }} +{{- $context := dict "port_id" "JUNIPER_NSM" "parser" "rfc3164" }} {{- tmpl.Exec "t/source_network.t" $context }} log { diff --git a/package/etc/conf.d/log_paths/lp-juniper_nsm_idp.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_nsm_idp.conf.tmpl index 7a2340c..e76fb0a 100644 --- a/package/etc/conf.d/log_paths/lp-juniper_nsm_idp.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-juniper_nsm_idp.conf.tmpl @@ -1,6 +1,6 @@ # Juniper NSM IDP {{- /* The following provides a unique port source configuration if env var(s) are set */}} -{{- $context := dict "port_id" "JUNIPER_NSM_IDP" "parser" "common" }} +{{- $context := dict "port_id" "JUNIPER_NSM_IDP" "parser" "rfc3164" }} {{- tmpl.Exec "t/source_network.t" $context }} log { diff --git a/package/etc/conf.d/log_paths/lp-microfocus_arcsight.conf.tmpl b/package/etc/conf.d/log_paths/lp-microfocus_arcsight.conf.tmpl index 6f22c7b..ae04a47 100644 --- a/package/etc/conf.d/log_paths/lp-microfocus_arcsight.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-microfocus_arcsight.conf.tmpl @@ -1,6 +1,6 @@ # Microfocus ArcSight {{- /* The following provides a unique port source configuration if env var(s) are set */}} -{{- $context := dict "port_id" "MICROFOCUS_ARCSIGHT" "parser" "common" }} +{{- $context := dict "port_id" "MICROFOCUS_ARCSIGHT" "parser" "rfc3164" }} {{- tmpl.Exec "t/source_network.t" $context }} parser p_microfocus_arcsight_header { diff --git a/package/etc/conf.d/log_paths/lp-paloalto_panos.conf.tmpl b/package/etc/conf.d/log_paths/lp-paloalto_panos.conf.tmpl index 72b68a6..f115db2 100644 --- a/package/etc/conf.d/log_paths/lp-paloalto_panos.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-paloalto_panos.conf.tmpl @@ -1,6 +1,6 @@ # PaloAlto PanOS {{- /* The following provides a unique port source configuration if env var(s) are set */}} -{{- $context := dict "port_id" "PALOALTO_PANOS" "parser" "common" }} +{{- $context := dict "port_id" "PALOALTO_PANOS" "parser" "rfc3164_version" }} {{- tmpl.Exec "t/source_network.t" $context }} log { diff --git a/package/etc/conf.d/log_paths/lp-proofpoint_pps.conf.tmpl b/package/etc/conf.d/log_paths/lp-proofpoint_pps.conf.tmpl index e73ada4..dc911ec 100644 --- a/package/etc/conf.d/log_paths/lp-proofpoint_pps.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-proofpoint_pps.conf.tmpl @@ -1,6 +1,6 @@ # Proofpoint Protection Server {{- /* The following provides a unique port source configuration if env var(s) are set */}} -{{- $context := dict "port_id" "PROOFPOINT_PPS" "parser" "common" }} +{{- $context := dict "port_id" "PROOFPOINT_PPS" "parser" "rfc3164" }} {{- tmpl.Exec "t/source_network.t" $context }} log { diff --git a/package/etc/conf.d/log_paths/lp-symantec_brightmail.conf.tmpl b/package/etc/conf.d/log_paths/lp-symantec_brightmail.conf.tmpl index 8033b87..8ae5329 100644 --- a/package/etc/conf.d/log_paths/lp-symantec_brightmail.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-symantec_brightmail.conf.tmpl @@ -24,7 +24,7 @@ parser symantec_brightmail_grouping { {{- end }} {{- /* The following provides a unique port source configuration if env var(s) are set */}} -{{- $context := dict "port_id" "SYMANTEC_BRIGHTMAIL" "parser" "common" }} +{{- $context := dict "port_id" "SYMANTEC_BRIGHTMAIL" "parser" "rfc3164" }} {{- tmpl.Exec "t/source_network.t" $context }} log { diff --git a/package/etc/conf.d/log_paths/lp-symantec_proxy.conf.tmpl b/package/etc/conf.d/log_paths/lp-symantec_proxy.conf.tmpl index 6ec7134..cc3524d 100644 --- a/package/etc/conf.d/log_paths/lp-symantec_proxy.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-symantec_proxy.conf.tmpl @@ -1,6 +1,6 @@ # Symantec Proxy (Bluecoat) {{- /* The following provides a unique port source configuration if env var(s) are set */}} -{{- $context := dict "port_id" "SYMANTEC_PROXY" "parser" "common" }} +{{- $context := dict "port_id" "SYMANTEC_PROXY" "parser" "rfc5424_noversion" }} {{- tmpl.Exec "t/source_network.t" $context }} log { diff --git a/package/etc/conf.d/log_paths/lp-ubiquiti_unifi.conf.tmpl b/package/etc/conf.d/log_paths/lp-ubiquiti_unifi.conf.tmpl index 903f51b..cee88ad 100644 --- a/package/etc/conf.d/log_paths/lp-ubiquiti_unifi.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-ubiquiti_unifi.conf.tmpl @@ -1,6 +1,6 @@ # Ubiquiti unifi {{- /* The following provides a unique port source configuration if env var(s) are set */}} -{{- $context := dict "port_id" "UBIQUITI_UNIFI" "parser" "common" }} +{{- $context := dict "port_id" "UBIQUITI_UNIFI" "parser" "rfc3164" }} {{- tmpl.Exec "t/source_network.t" $context }} log { diff --git a/package/etc/conf.d/log_paths/lp-zscaler_nss.conf.tmpl b/package/etc/conf.d/log_paths/lp-zscaler_nss.conf.tmpl index 29c0717..17782bf 100644 --- a/package/etc/conf.d/log_paths/lp-zscaler_nss.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-zscaler_nss.conf.tmpl @@ -1,6 +1,6 @@ # Zscaler {{- /* The following provides a unique port source configuration if env var(s) are set */}} -{{- $context := dict "port_id" "ZSCALER_NSS" "parser" "common" }} +{{- $context := dict "port_id" "ZSCALER_NSS" "parser" "rfc3164" }} {{- tmpl.Exec "t/source_network.t" $context }} log { diff --git a/package/etc/conf.d/log_paths/lp-zzy-nix_syslog.conf.tmpl b/package/etc/conf.d/log_paths/lp-zzy-nix_syslog.conf.tmpl index 008a3f6..be65104 100644 --- a/package/etc/conf.d/log_paths/lp-zzy-nix_syslog.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-zzy-nix_syslog.conf.tmpl @@ -1,6 +1,6 @@ # Linux/Unix OS system logs {{- /* The following provides a unique port source configuration if env var(s) are set */}} -{{- $context := dict "port_id" "NIX_SYSLOG" "parser" "common" }} +{{- $context := dict "port_id" "NIX_SYSLOG" "parser" "rfc3164" }} {{- tmpl.Exec "t/source_network.t" $context }} log { diff --git a/package/etc/go_templates/source_network.t b/package/etc/go_templates/source_network.t index eef481a..6b54feb 100644 --- a/package/etc/go_templates/source_network.t +++ b/package/etc/go_templates/source_network.t @@ -60,14 +60,26 @@ source s_{{ .port_id }} { }; #TODO: #60 Remove this function with enhancement rewrite(set_rfcnonconformant); -{{- if eq .parser "rfc5424_strict" }} - filter(f_rfc5424_strict); +{{- if eq .parser "rfc3164" }} + parser { + syslog-parser(time-zone({{getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) flags(guess-timezone)); + }; + rewrite(set_rfc3164); +{{- else if eq .parser "rfc3164_version" }} +# filter(f_rfc3164_version); + rewrite(set_rfc3164_no_version_string); + parser { + syslog-parser(time-zone({{- getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) flags(guess-timezone)); + }; + rewrite(set_rfc3164_version); +{{- else if eq .parser "rfc5424_strict" }} +# filter(f_rfc5424_strict); parser { syslog-parser(flags(syslog-protocol)); }; rewrite(set_rfc5424_strict); {{- else if eq .parser "rfc5424_noversion" }} - filter(f_rfc5424_noversion); +# filter(f_rfc5424_noversion); parser { syslog-parser(flags(syslog-protocol)); }; @@ -78,15 +90,18 @@ source s_{{ .port_id }} { {{- else if eq .parser "cisco_meraki_parser" }} parser (p_cisco_meraki); rewrite(set_rfc5424_epochtime); -{{- else if eq .parser "rfc3164" }} - parser { - syslog-parser(time-zone({{getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) ); - }; - rewrite(set_rfc3164); {{- else if eq .parser "no_parse" }} rewrite(set_no_parse); {{- else }} - if {filter(f_rfc5424_strict); + if { + filter(f_rfc3164_version); + rewrite(set_rfc3164_no_version_string); + parser { + syslog-parser(time-zone({{- getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) flags(guess-timezone)); + }; + rewrite(set_rfc3164_version); + } elif { + filter(f_rfc5424_strict); parser { syslog-parser(flags(syslog-protocol)); }; @@ -100,13 +115,6 @@ source s_{{ .port_id }} { } elif { parser {cisco-parser()}; rewrite(set_cisco_ios); - } elif { - filter(f_rfc3164_version); - rewrite(set_rfc3164_no_version_string); - parser { - syslog-parser(time-zone({{- getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) flags(guess-timezone)); - }; - rewrite(set_rfc3164_version); } elif { parser (p_cisco_meraki); rewrite(set_rfc5424_epochtime); From 78dda6e514597da59694ec4ea4ea86c55239c2e0 Mon Sep 17 00:00:00 2001 From: Mark Bonsack Date: Mon, 20 Jan 2020 22:37:30 -0800 Subject: [PATCH 9/9] Remove unneeded `rewrite(set_rfcnonconformant)` function * syslog_format.conf: Remove unneeded `rewrite(set_rfcnonconformant)` funtction. Source template will set an appropriate syslog format field in every case. * source_network.t: Remove comment `#TODO: #60 Remove this function with enhancement`; code has been updated and/or removed and comment no longer relevant. * source_network.t: Adjust gomplate template for line spacing in conf file output --- .../conf.d/conflib/_common/syslog_format.conf | 3 --- package/etc/go_templates/source_network.t | 21 ++++++++----------- 2 files changed, 9 insertions(+), 15 deletions(-) diff --git a/package/etc/conf.d/conflib/_common/syslog_format.conf b/package/etc/conf.d/conflib/_common/syslog_format.conf index 0c9fc2f..b461e0e 100644 --- a/package/etc/conf.d/conflib/_common/syslog_format.conf +++ b/package/etc/conf.d/conflib/_common/syslog_format.conf @@ -7,9 +7,6 @@ filter f_rfc5424_noversion{ filter f_rfc3164_version{ message('^(?(?
(?<\d{1,3}>)(?[1-9][0-9]?) (?[A-Za-z]{3} \d\d \d\d:\d\d:\d\d) (?[^ ]+) ))'); }; -rewrite set_rfcnonconformant{ - set("rfc5424_nonconform" value("fields.sc4s_syslog_format")); -}; rewrite set_rfc5424_strict{ set("rfc5424_strict" value("fields.sc4s_syslog_format")); }; diff --git a/package/etc/go_templates/source_network.t b/package/etc/go_templates/source_network.t index 6b54feb..480130a 100644 --- a/package/etc/go_templates/source_network.t +++ b/package/etc/go_templates/source_network.t @@ -58,41 +58,39 @@ source s_{{ .port_id }} { ); {{- end}} }; - #TODO: #60 Remove this function with enhancement - rewrite(set_rfcnonconformant); -{{- if eq .parser "rfc3164" }} +{{ if eq .parser "rfc3164" }} parser { syslog-parser(time-zone({{getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) flags(guess-timezone)); }; rewrite(set_rfc3164); -{{- else if eq .parser "rfc3164_version" }} +{{ else if eq .parser "rfc3164_version" }} # filter(f_rfc3164_version); rewrite(set_rfc3164_no_version_string); parser { syslog-parser(time-zone({{- getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) flags(guess-timezone)); }; rewrite(set_rfc3164_version); -{{- else if eq .parser "rfc5424_strict" }} +{{ else if eq .parser "rfc5424_strict" }} # filter(f_rfc5424_strict); parser { syslog-parser(flags(syslog-protocol)); }; rewrite(set_rfc5424_strict); -{{- else if eq .parser "rfc5424_noversion" }} +{{ else if eq .parser "rfc5424_noversion" }} # filter(f_rfc5424_noversion); parser { syslog-parser(flags(syslog-protocol)); }; rewrite(set_rfc5424_noversion); -{{- else if eq .parser "cisco_parser" }} +{{ else if eq .parser "cisco_parser" }} parser {cisco-parser()}; rewrite(set_cisco_ios); -{{- else if eq .parser "cisco_meraki_parser" }} +{{ else if eq .parser "cisco_meraki_parser" }} parser (p_cisco_meraki); rewrite(set_rfc5424_epochtime); -{{- else if eq .parser "no_parse" }} +{{ else if eq .parser "no_parse" }} rewrite(set_no_parse); -{{- else }} +{{ else }} if { filter(f_rfc3164_version); rewrite(set_rfc3164_no_version_string); @@ -124,9 +122,8 @@ source s_{{ .port_id }} { }; rewrite(set_rfc3164); }; -{{- end }} +{{ end }} rewrite(r_set_splunk_default); - parser { vendor_product_by_source(); };